Low memory utilisation with high number of memory-constrained workloads

[c3d]

Summary

Trying deployments with increasing numbers of pods, I came across one scenario where Kata cannot utilize more than half the memory available in the cluster, whereas runc can take advantage of a much larger fraction.

Workload

The workload is a special simple workload intended to consume a configurable amount of memory and CPU. The deployment starts with the following yaml file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: workload-deployment
  labels:
    app: workload

spec:
  replicas: 1
  selector:
    matchLabels:
      app: workload
  template:
    metadata:
      labels:
        app: workload
    spec:
      runtimeClassName: kata
      containers:
      - name: workload
        image: quay.io/c3d/workload
        env:
        - name: CPU
          value: "5"
        - name: MEMORY
          value: "500"
        - name: INCREMENT
          value: "250"
      resources:
        requests:
          memory: 384Mi
        limits:
          memory: 512Mi

A script then scales the deployment. The cluster has 5 worker nodes with a total of 80G available memory.

Observations

Without the memory request and limit, I observed the following as the number of containers increased:

With the memory request and limit, but without the runtimeClass (i.e. running with runc), I observe a similar pattern:

With kata, on the other hand, the memory utilization stays well below 50% of the memory of the cluster

Interestingly, the behavior does not seem to depend on the size of the limit. For example, with 512M request and 1G limit we get:

With 1G limit and 2G request we get:

Expectations

The expectation is that Kata would be able to use a larger fraction of the memory of the cluster.

Other relevant details

The runtimeClass contained the following Pod overhead during the testing:

Overhead:
  Pod Fixed:
    Cpu:     250m
    Memory:  160Mi

Kata configuration

[root@worker-0-0 core]# /usr/bin/kata-collect-data.sh

Show kata-collect-data.sh details

Meta details

Running kata-collect-data.sh version 2.0.0 (commit 3e7173828955b61d9b2bf6e0f59712fb9a5c8b98) at 2021-04-15.13:55:34.798247454+0000.

---

Runtime

Runtime is /bin/kata-runtime.

kata-env

/bin/kata-runtime kata-env

[Meta]
  Version = "1.0.25"

[Runtime]
  Debug = false
  Trace = false
  DisableGuestSeccomp = true
  DisableNewNetNs = false
  SandboxCgroupOnly = true
  Path = "/usr/bin/kata-runtime"
  [Runtime.Version]
    OCI = "1.0.1-dev"
    [Runtime.Version.Version]
      Semver = "2.0.0"
      Major = 2
      Minor = 0
      Patch = 0
      Commit = "3e7173828955b61d9b2bf6e0f59712fb9a5c8b98"
  [Runtime.Config]
    Path = "/etc/kata-containers/configuration.toml"

[Hypervisor]
  MachineType = "q35"
  Version = "QEMU emulator version 5.1.0 (qemu-kvm-5.1.0-20.module+el8.3.1+9918+230f5c26)\nCopyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers"
  Path = "/usr/libexec/qemu-kiwi"
  BlockDeviceDriver = "virtio-scsi"
  EntropySource = "/dev/urandom"
  SharedFS = "virtio-fs"
  VirtioFSDaemon = "/usr/libexec/virtiofsd"
  Msize9p = 8192
  MemorySlots = 10
  PCIeRootPort = 0
  HotplugVFIOOnRootBus = false
  Debug = false

[Image]
  Path = ""

[Kernel]
  Path = "/usr/lib/modules/4.18.0-240.15.1.el8_3.x86_64/vmlinuz"
  Parameters = "scsi_mod.scan=none"

[Initrd]
  Path = "/var/cache/kata-containers/osbuilder-images/4.18.0-240.15.1.el8_3.x86_64/\"rhcos\"-kata-4.18.0-240.15.1.el8_3.x86_64.initrd"

[Agent]
  Debug = false
  Trace = false
  TraceMode = ""
  TraceType = ""

[Host]
  Kernel = "4.18.0-240.15.1.el8_3.x86_64"
  Architecture = "amd64"
  VMContainerCapable = true
  SupportVSocks = true
  [Host.Distro]
    Name = "Red Hat Enterprise Linux CoreOS"
    Version = "4.8"
  [Host.CPU]
    Vendor = "GenuineIntel"
    Model = "Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz"
    CPUs = 8
  [Host.Memory]
    Total = 16389868
    Free = 5542400
    Available = 6749116

[Netmon]
  Path = "/usr/libexec/kata-containers/kata-netmon"
  Debug = false
  Enable = false
  [Netmon.Version]
    Semver = "2.0.0"
    Major = 2
    Minor = 0
    Patch = 0
    Commit = "<<unknown>>"

---

Runtime config files

Runtime config files

Runtime default config files

/etc/kata-containers/configuration.toml
/usr/share/kata-containers/defaults/configuration.toml

Runtime config file contents

cat "/etc/kata-containers/configuration.toml"

# Copyright (c) 2017-2019 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#

# XXX: WARNING: this file is auto-generated.
# XXX:
# XXX: Source file: "cli/config/configuration-qemu.toml.in"
# XXX: Project:
# XXX:   Name: Kata Containers
# XXX:   Type: kata

[hypervisor.qemu]
path = "/usr/libexec/qemu-kiwi"
kernel = "/var/cache/kata-containers/vmlinuz.container"
initrd = "/var/cache/kata-containers/kata-containers-initrd.img"
machine_type = "q35"

# List of valid annotation names for the hypervisor
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
enable_annotations = [".*"]

# List of valid annotations values for the hypervisor
# Each member of the list is a path pattern as described by glob(3).
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: ["/usr/libexec/qemu-kiwi"]
valid_hypervisor_paths = ["/usr/libexec/qemu-kiwi"]

# Optional space-separated list of options to pass to the guest kernel.
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
# trouble running pre-2.15 glibc.
#
# WARNING: - any parameter specified here will take priority over the default
# parameter value of the same name used to start the virtual machine.
# Do not set values here unless you understand the impact of doing so as you
# may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries.
kernel_params = ""

# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty
firmware = ""

# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
machine_accelerators=""

# CPU features
# comma-separated list of cpu features to pass to the cpu
# For example, `cpu_features = "pmu=off,vmx=off"
cpu_features="pmu=off"

# Default number of vCPUs per SB/VM:
# unspecified or 0                --> will be set to 1
# < 0                             --> will be set to the actual number of physical cores
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores      --> will be set to the actual number of physical cores
default_vcpus = 1

# Default maximum number of vCPUs per SB/VM:
# unspecified or == 0             --> will be set to the actual number of physical cores or to the maximum number
#                                     of vCPUs supported by KVM if that number is exceeded
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores      --> will be set to the actual number of physical cores or to the maximum number
#                                     of vCPUs supported by KVM if that number is exceeded
# WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when
# the actual number of physical cores is greater than it.
# WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU
# the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs
# can be added to a SB/VM, but the memory footprint will be big. Another example, with
# `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of
# vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable,
# unless you know what are you doing.
# NOTICE: on arm platform with gicv2 interrupt controller, set it to 8.
default_maxvcpus = 0

# Bridges can be used to hot plug devices.
# Limitations:
# * Currently only pci bridges are supported
# * Until 30 devices per bridge can be hot plugged.
# * Until 5 PCI bridges can be cold plugged per VM.
#   This limitation could be a bug in qemu or in the kernel
# Default number of bridges per SB/VM:
# unspecified or 0   --> will be set to 1
# > 1 <= 5           --> will be set to the specified number
# > 5                --> will be set to 5
default_bridges = 1

# Default memory size in MiB for SB/VM.
# If unspecified then it will be set 2048 MiB.
default_memory = 2048
#
# Default memory slots per SB/VM.
# If unspecified then it will be set 10.
# This is will determine the times that memory will be hotadded to sandbox/VM.
#memory_slots = 10

# The size in MiB will be plused to max memory of hypervisor.
# It is the memory address space for the NVDIMM devie.
# If set block storage driver (block_device_driver) to "nvdimm",
# should set memory_offset to the size of block device.
# Default 0
#memory_offset = 0

# Specifies virtio-mem will be enabled or not.
# Please note that this option should be used with the command
# "echo 1 > /proc/sys/vm/overcommit_memory".
# Default false
#enable_virtio_mem = true

# Disable block device from being used for a container's rootfs.
# In case of a storage driver like devicemapper where a container's
# root file system is backed by a block device, the block device is passed
# directly to the hypervisor for performance reasons.
# This flag prevents the block device from being passed to the hypervisor,
# 9pfs is used instead to pass the rootfs.
disable_block_device_use = false

# Shared file system type:
#   - virtio-fs (default)
#   - virtio-9p
shared_fs = "virtio-fs"

# Path to vhost-user-fs daemon.
virtio_fs_daemon = "/usr/libexec/virtiofsd"

# List of valid annotations values for the virtiofs daemon
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: ["/usr/libexec/virtiofsd"]
valid_virtio_fs_daemon_paths = ["/usr/libexec/virtiofsd"]

# Default size of DAX cache in MiB
virtio_fs_cache_size = 0

# Extra args for virtiofsd daemon
#
# Format example:
#   ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"]
#
# see `virtiofsd -h` for possible options.
virtio_fs_extra_args = ["--thread-pool-size=1"]

# Cache mode:
#
#  - none
#    Metadata, data, and pathname lookup are not cached in guest. They are
#    always fetched from host and any changes are immediately pushed to host.
#
#  - auto
#    Metadata and pathname lookup cache expires after a configured amount of
#    time (default is 1 second). Data is cached while the file is open (close
#    to open consistency).
#
#  - always
#    Metadata, data, and pathname lookup are cached in guest and never expire.
virtio_fs_cache = "auto"

# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device. This is virtio-scsi, virtio-blk
# or nvdimm.
block_device_driver = "virtio-scsi"

# Specifies cache-related options will be set to block devices or not.
# Default false
#block_device_cache_set = true

# Specifies cache-related options for block devices.
# Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
# Default false
#block_device_cache_direct = true

# Specifies cache-related options for block devices.
# Denotes whether flush requests for the device are ignored.
# Default false
#block_device_cache_noflush = true

# Enable iothreads (data-plane) to be used. This causes IO to be
# handled in a separate IO thread. This is currently only implemented
# for SCSI.
#
enable_iothreads = false

# Enable pre allocation of VM RAM, default false
# Enabling this will result in lower container density
# as all of the memory will be allocated and locked
# This is useful when you want to reserve all the memory
# upfront or in the cases where you want memory latencies
# to be very predictable
# Default false
#enable_mem_prealloc = true

# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.
# This is useful when you want to use vhost-user network
# stacks within the container. This will automatically
# result in memory pre allocation
#enable_hugepages = true

# Enable vhost-user storage device, default false
# Enabling this will result in some Linux reserved block type
# major range 240-254 being chosen to represent vhost-user devices.
enable_vhost_user_store = false

# The base directory specifically used for vhost-user devices.
# Its sub-path "block" is used for block devices; "block/sockets" is
# where we expect vhost-user sockets to live; "block/devices" is where
# simulated block device nodes for vhost-user devices to live.
vhost_user_store_path = "/var/run/kata-containers/vhost-user"

# Enable vIOMMU, default false
# Enabling this will result in the VM having a vIOMMU device
# This will also add the following options to the kernel's
# command line: intel_iommu=on,iommu=pt
#enable_iommu = true

# Enable IOMMU_PLATFORM, default false
# Enabling this will result in the VM device having iommu_platform=on set
#enable_iommu_platform = true

# List of valid annotations values for the vhost user store path
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: ["/var/run/kata-containers/vhost-user"]
valid_vhost_user_store_paths = ["/var/run/kata-containers/vhost-user"]

# Enable file based guest memory support. The default is an empty string which
# will disable this feature. In the case of virtio-fs, this is enabled
# automatically and '/dev/shm' is used as the backing folder.
# This option will be ignored if VM templating is enabled.
#file_mem_backend = ""

# List of valid annotations values for the file_mem_backend annotation
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: [""]
valid_file_mem_backends = [""]

# Enable swap of vm memory. Default false.
# The behaviour is undefined if mem_prealloc is also set to true
#enable_swap = true

# -pflash can add image file to VM. The arguments of it should be in format
# of ["/path/to/flash0.img", "/path/to/flash1.img"]
pflashes = []

# This option changes the default hypervisor and kernel parameters
# to enable debug output where available.
#
# Default false
#enable_debug = true

# Disable the customizations done in the runtime when it detects
# that it is running on top a VMM. This will result in the runtime
# behaving as it would when running on bare metal.
#
#disable_nesting_checks = true

# This is the msize used for 9p shares. It is the number of bytes
# used for 9p packet payload.
#msize_9p = 8192

# If false and nvdimm is supported, use nvdimm device to plug guest image.
# Otherwise virtio-block device is used.
# Default is false
#disable_image_nvdimm = true

# VFIO devices are hotplugged on a bridge by default.
# Enable hotplugging on root bus. This may be required for devices with
# a large PCI bar, as this is a current limitation with hotplugging on
# a bridge. This value is valid for "pc" machine type.
# Default false
#hotplug_vfio_on_root_bus = true

# Before hot plugging a PCIe device, you need to add a pcie_root_port device.
# Use this parameter when using some large PCI bar devices, such as Nvidia GPU
# The value means the number of pcie_root_port
# This value is valid when hotplug_vfio_on_root_bus is true and machine_type is "q35"
# Default 0
#pcie_root_port = 2

# If vhost-net backend for virtio-net is not desired, set to true. Default is false, which trades off
# security (vhost-net runs ring0) for network I/O performance.
#disable_vhost_net = true

#
# Default entropy source.
# The path to a host source of entropy (including a real hardware RNG)
# /dev/urandom and /dev/random are two main options.
# Be aware that /dev/random is a blocking source of entropy.  If the host
# runs out of entropy, the VMs boot time will increase leading to get startup
# timeouts.
# The source of entropy /dev/urandom is non-blocking and provides a
# generally acceptable source of entropy. It should work well for pretty much
# all practical purposes.
#entropy_source= "/dev/urandom"

# Path to OCI hook binaries in the *guest rootfs*.
# This does not affect host-side hooks which must instead be added to
# the OCI spec passed to the runtime.
#
# You can create a rootfs with hooks by customizing the osbuilder scripts:
# https://github.com/kata-containers/osbuilder
#
# Hooks must be stored in a subdirectory of guest_hook_path according to their
# hook type, i.e. "guest_hook_path/{prestart,postart,poststop}".
# The agent will scan these directories for executable files and add them, in
# lexicographical order, to the lifecycle of the guest container.
# Hooks are executed in the runtime namespace of the guest. See the official documentation:
# https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
# Warnings will be logged if any error is encountered while scanning for hooks,
# but it will not abort container execution.
#guest_hook_path = "/usr/share/oci/hooks"
#
# Use rx Rate Limiter to control network I/O inbound bandwidth(size in bits/sec for SB/VM).
# In Qemu, we use classful qdiscs HTB(Hierarchy Token Bucket) to discipline traffic.
# Default 0-sized value means unlimited rate.
#rx_rate_limiter_max_rate = 0
# Use tx Rate Limiter to control network I/O outbound bandwidth(size in bits/sec for SB/VM).
# In Qemu, we use classful qdiscs HTB(Hierarchy Token Bucket) and ifb(Intermediate Functional Block)
# to discipline traffic.
# Default 0-sized value means unlimited rate.
#tx_rate_limiter_max_rate = 0

# Set where to save the guest memory dump file.
# If set, when GUEST_PANICKED event occurred,
# guest memeory will be dumped to host filesystem under guest_memory_dump_path,
# This directory will be created automatically if it does not exist.
#
# The dumped file(also called vmcore) can be processed with crash or gdb.
#
# WARNING:
#   Dump guest’s memory can take very long depending on the amount of guest memory
#   and use much disk space.
#guest_memory_dump_path="/var/crash/kata"

# If enable paging.
# Basically, if you want to use "gdb" rather than "crash",
# or need the guest-virtual addresses in the ELF vmcore,
# then you should enable paging.
#
# See: https://www.qemu.org/docs/master/qemu-qmp-ref.html#Dump-guest-memory for details
#guest_memory_dump_paging=false

[factory]
# VM templating support. Once enabled, new VMs are created from template
# using vm cloning. They will share the same initial kernel, initramfs and
# agent memory by mapping it readonly. It helps speeding up new container
# creation and saves a lot of memory if there are many kata containers running
# on the same host.
#
# When disabled, new VMs are created from scratch.
#
# Note: Requires "initrd=" to be set ("image=" is not supported).
#
# Default false
#enable_template = true

# Specifies the path of template.
#
# Default "/run/vc/vm/template"
#template_path = "/run/vc/vm/template"

# The number of caches of VMCache:
# unspecified or == 0   --> VMCache is disabled
# > 0                   --> will be set to the specified number
#
# VMCache is a function that creates VMs as caches before using it.
# It helps speed up new container creation.
# The function consists of a server and some clients communicating
# through Unix socket.  The protocol is gRPC in protocols/cache/cache.proto.
# The VMCache server will create some VMs and cache them by factory cache.
# It will convert the VM to gRPC format and transport it when gets
# requestion from clients.
# Factory grpccache is the VMCache client.  It will request gRPC format
# VM and convert it back to a VM.  If VMCache function is enabled,
# kata-runtime will request VM from factory grpccache when it creates
# a new sandbox.
#
# Default 0
#vm_cache_number = 0

# Specify the address of the Unix socket that is used by VMCache.
#
# Default /var/run/kata-containers/cache.sock
#vm_cache_endpoint = "/var/run/kata-containers/cache.sock"

[agent.kata]
# If enabled, make the agent display debug-level messages.
# (default: disabled)
#enable_debug = true

# Enable agent tracing.
#
# If enabled, the default trace mode is "dynamic" and the
# default trace type is "isolated". The trace mode and type are set
# explicity with the `trace_type=` and `trace_mode=` options.
#
# Notes:
#
# - Tracing is ONLY enabled when `enable_tracing` is set: explicitly
#   setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing`
#   will NOT activate agent tracing.
#
# - See https://github.com/kata-containers/agent/blob/master/TRACING.md for
#   full details.
#
# (default: disabled)
#enable_tracing = true
#
#trace_mode = "dynamic"
#trace_type = "isolated"

# Comma separated list of kernel modules and their parameters.
# These modules will be loaded in the guest kernel using modprobe(8).
# The following example can be used to load two kernel modules with parameters
#  - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"]
# The first word is considered as the module name and the rest as its parameters.
# Container will not be started when:
#  * A kernel module is specified and the modprobe command is not installed in the guest
#    or it fails loading the module.
#  * The module is not available in the guest or it doesn't met the guest kernel
#    requirements, like architecture and version.
#
kernel_modules=[]

# Enable debug console.

# If enabled, user can connect guest OS running inside hypervisor
# through "kata-runtime exec <sandbox-id>" command

#debug_console_enabled = true

[netmon]
# If enabled, the network monitoring process gets started when the
# sandbox is created. This allows for the detection of some additional
# network being added to the existing network namespace, after the
# sandbox has been created.
# (default: disabled)
#enable_netmon = true

# Specify the path to the netmon binary.
path = "/usr/libexec/kata-containers/kata-netmon"

# If enabled, netmon messages will be sent to the system log
# (default: disabled)
#enable_debug = true

[runtime]
# If enabled, the runtime will log additional debug messages to the
# system log
# (default: disabled)
#enable_debug = true
#
# Internetworking model
# Determines how the VM should be connected to the
# the container network interface
# Options:
#
#   - macvtap
#     Used when the Container network interface can be bridged using
#     macvtap.
#
#   - none
#     Used when customize network. Only creates a tap device. No veth pair.
#
#   - tcfilter
#     Uses tc filter rules to redirect traffic from the network interface
#     provided by plugin to a tap interface connected to the VM.
#
internetworking_model="tcfilter"

# disable guest seccomp
# Determines whether container seccomp profiles are passed to the virtual
# machine and applied by the kata agent. If set to true, seccomp is not applied
# within the guest
# (default: true)
disable_guest_seccomp=true

# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)
#enable_tracing = true

# Set the full url to the Jaeger HTTP Thrift collector.
# The default if not set will be "http://localhost:14268/api/traces"
#jaeger_endpoint = ""

# Sets the username to be used if basic auth is required for Jaeger.
#jaeger_user = ""

# Sets the password to be used if basic auth is required for Jaeger.
#jaeger_password = ""

# If enabled, the runtime will not create a network namespace for shim and hypervisor processes.
# This option may have some potential impacts to your host. It should only be used when you know what you're doing.
# `disable_new_netns` conflicts with `enable_netmon`
# `disable_new_netns` conflicts with `internetworking_model=tcfilter` and `internetworking_model=macvtap`. It works only
# with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
# (like OVS) directly.
# If you are using docker, `disable_new_netns` only works with `docker run --net=none`
# (default: false)
#disable_new_netns = true

# if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
# The container cgroups in the host are not created, just one single cgroup per sandbox.
# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
# The sandbox cgroup is constrained if there is no container type annotation.
# See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
sandbox_cgroup_only=true

# If specified, sandbox_bind_mounts identifieds host paths to be mounted (ro) into the sandboxes shared path.
# This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted into the shared fs directory.
# If defaults are utilized, these mounts should be available in the guest at `/run/kata-containers/shared/containers/sandbox-mounts`
# These will not be exposed to the container workloads, and are only provided for potential guest services.
sandbox_bind_mounts=[]

# Enabled experimental feature list, format: ["a", "b"].
# Experimental features are features not stable enough for production,
# they may break compatibility, and are prepared for a big version bump.
# Supported experimental features:
# (default: [])
experimental=[]

# If enabled, user can run pprof tools with shim v2 process through kata-monitor.
# (default: false)
# enable_pprof = true

Config file `/usr/share/defaults/kata-containers/configuration.toml` not found

cat "/usr/share/kata-containers/defaults/configuration.toml"

# Copyright (c) 2017-2019 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#

# XXX: WARNING: this file is auto-generated.
# XXX:
# XXX: Source file: "cli/config/configuration-qemu.toml.in"
# XXX: Project:
# XXX:   Name: Kata Containers
# XXX:   Type: kata

[hypervisor.qemu]
path = "/usr/libexec/qemu-kiwi"
kernel = "/var/cache/kata-containers/vmlinuz.container"
initrd = "/var/cache/kata-containers/kata-containers-initrd.img"
machine_type = "q35"

# List of valid annotation names for the hypervisor
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
enable_annotations = [".*"]

# List of valid annotations values for the hypervisor
# Each member of the list is a path pattern as described by glob(3).
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: ["/usr/libexec/qemu-kiwi"]
valid_hypervisor_paths = ["/usr/libexec/qemu-kiwi"]

# Optional space-separated list of options to pass to the guest kernel.
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
# trouble running pre-2.15 glibc.
#
# WARNING: - any parameter specified here will take priority over the default
# parameter value of the same name used to start the virtual machine.
# Do not set values here unless you understand the impact of doing so as you
# may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries.
kernel_params = ""

# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty
firmware = ""

# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
machine_accelerators=""

# CPU features
# comma-separated list of cpu features to pass to the cpu
# For example, `cpu_features = "pmu=off,vmx=off"
cpu_features="pmu=off"

# Default number of vCPUs per SB/VM:
# unspecified or 0                --> will be set to 1
# < 0                             --> will be set to the actual number of physical cores
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores      --> will be set to the actual number of physical cores
default_vcpus = 1

# Default maximum number of vCPUs per SB/VM:
# unspecified or == 0             --> will be set to the actual number of physical cores or to the maximum number
#                                     of vCPUs supported by KVM if that number is exceeded
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores      --> will be set to the actual number of physical cores or to the maximum number
#                                     of vCPUs supported by KVM if that number is exceeded
# WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when
# the actual number of physical cores is greater than it.
# WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU
# the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs
# can be added to a SB/VM, but the memory footprint will be big. Another example, with
# `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of
# vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable,
# unless you know what are you doing.
# NOTICE: on arm platform with gicv2 interrupt controller, set it to 8.
default_maxvcpus = 0

# Bridges can be used to hot plug devices.
# Limitations:
# * Currently only pci bridges are supported
# * Until 30 devices per bridge can be hot plugged.
# * Until 5 PCI bridges can be cold plugged per VM.
#   This limitation could be a bug in qemu or in the kernel
# Default number of bridges per SB/VM:
# unspecified or 0   --> will be set to 1
# > 1 <= 5           --> will be set to the specified number
# > 5                --> will be set to 5
default_bridges = 1

# Default memory size in MiB for SB/VM.
# If unspecified then it will be set 2048 MiB.
default_memory = 2048
#
# Default memory slots per SB/VM.
# If unspecified then it will be set 10.
# This is will determine the times that memory will be hotadded to sandbox/VM.
#memory_slots = 10

# The size in MiB will be plused to max memory of hypervisor.
# It is the memory address space for the NVDIMM devie.
# If set block storage driver (block_device_driver) to "nvdimm",
# should set memory_offset to the size of block device.
# Default 0
#memory_offset = 0

# Specifies virtio-mem will be enabled or not.
# Please note that this option should be used with the command
# "echo 1 > /proc/sys/vm/overcommit_memory".
# Default false
#enable_virtio_mem = true

# Disable block device from being used for a container's rootfs.
# In case of a storage driver like devicemapper where a container's
# root file system is backed by a block device, the block device is passed
# directly to the hypervisor for performance reasons.
# This flag prevents the block device from being passed to the hypervisor,
# 9pfs is used instead to pass the rootfs.
disable_block_device_use = false

# Shared file system type:
#   - virtio-fs (default)
#   - virtio-9p
shared_fs = "virtio-fs"

# Path to vhost-user-fs daemon.
virtio_fs_daemon = "/usr/libexec/virtiofsd"

# List of valid annotations values for the virtiofs daemon
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: ["/usr/libexec/virtiofsd"]
valid_virtio_fs_daemon_paths = ["/usr/libexec/virtiofsd"]

# Default size of DAX cache in MiB
virtio_fs_cache_size = 0

# Extra args for virtiofsd daemon
#
# Format example:
#   ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"]
#
# see `virtiofsd -h` for possible options.
virtio_fs_extra_args = ["--thread-pool-size=1"]

# Cache mode:
#
#  - none
#    Metadata, data, and pathname lookup are not cached in guest. They are
#    always fetched from host and any changes are immediately pushed to host.
#
#  - auto
#    Metadata and pathname lookup cache expires after a configured amount of
#    time (default is 1 second). Data is cached while the file is open (close
#    to open consistency).
#
#  - always
#    Metadata, data, and pathname lookup are cached in guest and never expire.
virtio_fs_cache = "auto"

# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device. This is virtio-scsi, virtio-blk
# or nvdimm.
block_device_driver = "virtio-scsi"

# Specifies cache-related options will be set to block devices or not.
# Default false
#block_device_cache_set = true

# Specifies cache-related options for block devices.
# Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
# Default false
#block_device_cache_direct = true

# Specifies cache-related options for block devices.
# Denotes whether flush requests for the device are ignored.
# Default false
#block_device_cache_noflush = true

# Enable iothreads (data-plane) to be used. This causes IO to be
# handled in a separate IO thread. This is currently only implemented
# for SCSI.
#
enable_iothreads = false

# Enable pre allocation of VM RAM, default false
# Enabling this will result in lower container density
# as all of the memory will be allocated and locked
# This is useful when you want to reserve all the memory
# upfront or in the cases where you want memory latencies
# to be very predictable
# Default false
#enable_mem_prealloc = true

# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.
# This is useful when you want to use vhost-user network
# stacks within the container. This will automatically
# result in memory pre allocation
#enable_hugepages = true

# Enable vhost-user storage device, default false
# Enabling this will result in some Linux reserved block type
# major range 240-254 being chosen to represent vhost-user devices.
enable_vhost_user_store = false

# The base directory specifically used for vhost-user devices.
# Its sub-path "block" is used for block devices; "block/sockets" is
# where we expect vhost-user sockets to live; "block/devices" is where
# simulated block device nodes for vhost-user devices to live.
vhost_user_store_path = "/var/run/kata-containers/vhost-user"

# Enable vIOMMU, default false
# Enabling this will result in the VM having a vIOMMU device
# This will also add the following options to the kernel's
# command line: intel_iommu=on,iommu=pt
#enable_iommu = true

# Enable IOMMU_PLATFORM, default false
# Enabling this will result in the VM device having iommu_platform=on set
#enable_iommu_platform = true

# List of valid annotations values for the vhost user store path
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: ["/var/run/kata-containers/vhost-user"]
valid_vhost_user_store_paths = ["/var/run/kata-containers/vhost-user"]

# Enable file based guest memory support. The default is an empty string which
# will disable this feature. In the case of virtio-fs, this is enabled
# automatically and '/dev/shm' is used as the backing folder.
# This option will be ignored if VM templating is enabled.
#file_mem_backend = ""

# List of valid annotations values for the file_mem_backend annotation
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: [""]
valid_file_mem_backends = [""]

# Enable swap of vm memory. Default false.
# The behaviour is undefined if mem_prealloc is also set to true
#enable_swap = true

# -pflash can add image file to VM. The arguments of it should be in format
# of ["/path/to/flash0.img", "/path/to/flash1.img"]
pflashes = []

# This option changes the default hypervisor and kernel parameters
# to enable debug output where available.
#
# Default false
#enable_debug = true

# Disable the customizations done in the runtime when it detects
# that it is running on top a VMM. This will result in the runtime
# behaving as it would when running on bare metal.
#
#disable_nesting_checks = true

# This is the msize used for 9p shares. It is the number of bytes
# used for 9p packet payload.
#msize_9p = 8192

# If false and nvdimm is supported, use nvdimm device to plug guest image.
# Otherwise virtio-block device is used.
# Default is false
#disable_image_nvdimm = true

# VFIO devices are hotplugged on a bridge by default.
# Enable hotplugging on root bus. This may be required for devices with
# a large PCI bar, as this is a current limitation with hotplugging on
# a bridge. This value is valid for "pc" machine type.
# Default false
#hotplug_vfio_on_root_bus = true

# Before hot plugging a PCIe device, you need to add a pcie_root_port device.
# Use this parameter when using some large PCI bar devices, such as Nvidia GPU
# The value means the number of pcie_root_port
# This value is valid when hotplug_vfio_on_root_bus is true and machine_type is "q35"
# Default 0
#pcie_root_port = 2

# If vhost-net backend for virtio-net is not desired, set to true. Default is false, which trades off
# security (vhost-net runs ring0) for network I/O performance.
#disable_vhost_net = true

#
# Default entropy source.
# The path to a host source of entropy (including a real hardware RNG)
# /dev/urandom and /dev/random are two main options.
# Be aware that /dev/random is a blocking source of entropy.  If the host
# runs out of entropy, the VMs boot time will increase leading to get startup
# timeouts.
# The source of entropy /dev/urandom is non-blocking and provides a
# generally acceptable source of entropy. It should work well for pretty much
# all practical purposes.
#entropy_source= "/dev/urandom"

# Path to OCI hook binaries in the *guest rootfs*.
# This does not affect host-side hooks which must instead be added to
# the OCI spec passed to the runtime.
#
# You can create a rootfs with hooks by customizing the osbuilder scripts:
# https://github.com/kata-containers/osbuilder
#
# Hooks must be stored in a subdirectory of guest_hook_path according to their
# hook type, i.e. "guest_hook_path/{prestart,postart,poststop}".
# The agent will scan these directories for executable files and add them, in
# lexicographical order, to the lifecycle of the guest container.
# Hooks are executed in the runtime namespace of the guest. See the official documentation:
# https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
# Warnings will be logged if any error is encountered while scanning for hooks,
# but it will not abort container execution.
#guest_hook_path = "/usr/share/oci/hooks"
#
# Use rx Rate Limiter to control network I/O inbound bandwidth(size in bits/sec for SB/VM).
# In Qemu, we use classful qdiscs HTB(Hierarchy Token Bucket) to discipline traffic.
# Default 0-sized value means unlimited rate.
#rx_rate_limiter_max_rate = 0
# Use tx Rate Limiter to control network I/O outbound bandwidth(size in bits/sec for SB/VM).
# In Qemu, we use classful qdiscs HTB(Hierarchy Token Bucket) and ifb(Intermediate Functional Block)
# to discipline traffic.
# Default 0-sized value means unlimited rate.
#tx_rate_limiter_max_rate = 0

# Set where to save the guest memory dump file.
# If set, when GUEST_PANICKED event occurred,
# guest memeory will be dumped to host filesystem under guest_memory_dump_path,
# This directory will be created automatically if it does not exist.
#
# The dumped file(also called vmcore) can be processed with crash or gdb.
#
# WARNING:
#   Dump guest’s memory can take very long depending on the amount of guest memory
#   and use much disk space.
#guest_memory_dump_path="/var/crash/kata"

# If enable paging.
# Basically, if you want to use "gdb" rather than "crash",
# or need the guest-virtual addresses in the ELF vmcore,
# then you should enable paging.
#
# See: https://www.qemu.org/docs/master/qemu-qmp-ref.html#Dump-guest-memory for details
#guest_memory_dump_paging=false

[factory]
# VM templating support. Once enabled, new VMs are created from template
# using vm cloning. They will share the same initial kernel, initramfs and
# agent memory by mapping it readonly. It helps speeding up new container
# creation and saves a lot of memory if there are many kata containers running
# on the same host.
#
# When disabled, new VMs are created from scratch.
#
# Note: Requires "initrd=" to be set ("image=" is not supported).
#
# Default false
#enable_template = true

# Specifies the path of template.
#
# Default "/run/vc/vm/template"
#template_path = "/run/vc/vm/template"

# The number of caches of VMCache:
# unspecified or == 0   --> VMCache is disabled
# > 0                   --> will be set to the specified number
#
# VMCache is a function that creates VMs as caches before using it.
# It helps speed up new container creation.
# The function consists of a server and some clients communicating
# through Unix socket.  The protocol is gRPC in protocols/cache/cache.proto.
# The VMCache server will create some VMs and cache them by factory cache.
# It will convert the VM to gRPC format and transport it when gets
# requestion from clients.
# Factory grpccache is the VMCache client.  It will request gRPC format
# VM and convert it back to a VM.  If VMCache function is enabled,
# kata-runtime will request VM from factory grpccache when it creates
# a new sandbox.
#
# Default 0
#vm_cache_number = 0

# Specify the address of the Unix socket that is used by VMCache.
#
# Default /var/run/kata-containers/cache.sock
#vm_cache_endpoint = "/var/run/kata-containers/cache.sock"

[agent.kata]
# If enabled, make the agent display debug-level messages.
# (default: disabled)
#enable_debug = true

# Enable agent tracing.
#
# If enabled, the default trace mode is "dynamic" and the
# default trace type is "isolated". The trace mode and type are set
# explicity with the `trace_type=` and `trace_mode=` options.
#
# Notes:
#
# - Tracing is ONLY enabled when `enable_tracing` is set: explicitly
#   setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing`
#   will NOT activate agent tracing.
#
# - See https://github.com/kata-containers/agent/blob/master/TRACING.md for
#   full details.
#
# (default: disabled)
#enable_tracing = true
#
#trace_mode = "dynamic"
#trace_type = "isolated"

# Comma separated list of kernel modules and their parameters.
# These modules will be loaded in the guest kernel using modprobe(8).
# The following example can be used to load two kernel modules with parameters
#  - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"]
# The first word is considered as the module name and the rest as its parameters.
# Container will not be started when:
#  * A kernel module is specified and the modprobe command is not installed in the guest
#    or it fails loading the module.
#  * The module is not available in the guest or it doesn't met the guest kernel
#    requirements, like architecture and version.
#
kernel_modules=[]

# Enable debug console.

# If enabled, user can connect guest OS running inside hypervisor
# through "kata-runtime exec <sandbox-id>" command

#debug_console_enabled = true

[netmon]
# If enabled, the network monitoring process gets started when the
# sandbox is created. This allows for the detection of some additional
# network being added to the existing network namespace, after the
# sandbox has been created.
# (default: disabled)
#enable_netmon = true

# Specify the path to the netmon binary.
path = "/usr/libexec/kata-containers/kata-netmon"

# If enabled, netmon messages will be sent to the system log
# (default: disabled)
#enable_debug = true

[runtime]
# If enabled, the runtime will log additional debug messages to the
# system log
# (default: disabled)
#enable_debug = true
#
# Internetworking model
# Determines how the VM should be connected to the
# the container network interface
# Options:
#
#   - macvtap
#     Used when the Container network interface can be bridged using
#     macvtap.
#
#   - none
#     Used when customize network. Only creates a tap device. No veth pair.
#
#   - tcfilter
#     Uses tc filter rules to redirect traffic from the network interface
#     provided by plugin to a tap interface connected to the VM.
#
internetworking_model="tcfilter"

# disable guest seccomp
# Determines whether container seccomp profiles are passed to the virtual
# machine and applied by the kata agent. If set to true, seccomp is not applied
# within the guest
# (default: true)
disable_guest_seccomp=true

# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)
#enable_tracing = true

# Set the full url to the Jaeger HTTP Thrift collector.
# The default if not set will be "http://localhost:14268/api/traces"
#jaeger_endpoint = ""

# Sets the username to be used if basic auth is required for Jaeger.
#jaeger_user = ""

# Sets the password to be used if basic auth is required for Jaeger.
#jaeger_password = ""

# If enabled, the runtime will not create a network namespace for shim and hypervisor processes.
# This option may have some potential impacts to your host. It should only be used when you know what you're doing.
# `disable_new_netns` conflicts with `enable_netmon`
# `disable_new_netns` conflicts with `internetworking_model=tcfilter` and `internetworking_model=macvtap`. It works only
# with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
# (like OVS) directly.
# If you are using docker, `disable_new_netns` only works with `docker run --net=none`
# (default: false)
#disable_new_netns = true

# if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
# The container cgroups in the host are not created, just one single cgroup per sandbox.
# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
# The sandbox cgroup is constrained if there is no container type annotation.
# See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
sandbox_cgroup_only=true

# If specified, sandbox_bind_mounts identifieds host paths to be mounted (ro) into the sandboxes shared path.
# This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted into the shared fs directory.
# If defaults are utilized, these mounts should be available in the guest at `/run/kata-containers/shared/containers/sandbox-mounts`
# These will not be exposed to the container workloads, and are only provided for potential guest services.
sandbox_bind_mounts=[]

# Enabled experimental feature list, format: ["a", "b"].
# Experimental features are features not stable enough for production,
# they may break compatibility, and are prepared for a big version bump.
# Supported experimental features:
# (default: [])
experimental=[]

# If enabled, user can run pprof tools with shim v2 process through kata-monitor.
# (default: false)
# enable_pprof = true

---

Containerd shim v2

Containerd shim v2 is /bin/containerd-shim-kata-v2.

containerd-shim-kata-v2 --version

Kata Containers containerd shim: id: "io.containerd.kata.v2", version: 2.0.0, commit: 83d5a499416c751dd4858b406bc6c650f5f0d44c-dirty

---

KSM throttler

KSM throttler

version

systemd service

Image details

Image details

No image

---

Initrd details

Initrd details

unknown

---

Logfiles

Logfiles

Runtime logs

Runtime logs

No recent runtime problems found in system journal.

Throttler logs

Throttler logs

No recent throttler problems found in system journal.

Kata Containerd Shim v2 logs

Kata Containerd Shim v2

Recent problems found in system journal:

time="2021-04-15T11:57:20.750701803Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:21.750519844Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:21.75065244Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:22.750534994Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:22.750737919Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:23.750534118Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:23.750697195Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:24.750590433Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:24.750802868Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:25.750525052Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:25.750677357Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:26.750513571Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:26.750697243Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:27.75060999Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:27.750771423Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:28.750564573Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:28.750782749Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:29.367305476Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3182163 sandbox=38bfd9dccabe53e41f31e5b39599145e209665d4fc3c0a7a441223808efc9ec5 source=containerd-kata-shim-v2
time="2021-04-15T11:57:29.483951497Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3161939 sandbox=7ea686d66cff96ef53bcb41e09d0bc29772c88a9bbc5bed3d6236fdae46e2c30 source=containerd-kata-shim-v2
time="2021-04-15T11:57:29.638025559Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3098991 sandbox=e5b9138fb5a8b4602c97cacea196ce300d5e7f47555129914fd4c12d622c4ec1 source=containerd-kata-shim-v2
time="2021-04-15T11:57:29.750867267Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:29.751017604Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:29.756919723Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3182042 sandbox=edf8927f37aceed862e0fb31b7fdfd6a8c79d8375465902898f7ed23f6a2c5e6 source=containerd-kata-shim-v2
time="2021-04-15T11:57:29.886626238Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3131887 sandbox=6afe10d1a719109c310eabee8a9073f040d0331b026792ab5d29fd1504424ff6 source=containerd-kata-shim-v2
time="2021-04-15T11:57:30.0850417Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3090881 sandbox=54929b8516a2648faf847c8dc02dd779551767a2e086a469816f8a9f28c7d8aa source=containerd-kata-shim-v2
time="2021-04-15T11:57:30.222557401Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3182261 sandbox=25ae25f48af0b4355fdbbd29fd939f81b99eecee73bb846d067d08329ba2c19c source=containerd-kata-shim-v2
time="2021-04-15T11:57:30.392675983Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3096955 sandbox=dc5bcce8fe6d49fde3147f315f4b6b62c342437b8cdf26be1f50f83fc015d6ca source=containerd-kata-shim-v2
time="2021-04-15T11:57:30.60577855Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3091520 sandbox=8bc18ae03aa9e3b4b47e4062781aec4b524f79c7490a450255f9f57efdb9d27c source=containerd-kata-shim-v2
time="2021-04-15T11:57:30.755104105Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:30.755282654Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:30.813357647Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3163429 sandbox=8bec6c0070ded6942dcb01d2c4ba6f76498b05b809f4f9dd294841e5c5ef2bc8 source=containerd-kata-shim-v2
time="2021-04-15T11:57:30.970442743Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3163323 sandbox=3704fab9386983add09627fdec6cdb39cbacae4e252609f5530119a1b49b6447 source=containerd-kata-shim-v2
time="2021-04-15T11:57:31.144104357Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3182254 sandbox=f8c68fd40972d2fb0a537fa263d667c8305dbabf699c216f5ebc30c7c3e363b2 source=containerd-kata-shim-v2
time="2021-04-15T11:57:31.299123388Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3131993 sandbox=f44246cd0dff2fab1f4a0fbc331da9cf2e64c778a54d89034f08445e63093991 source=containerd-kata-shim-v2
time="2021-04-15T11:57:31.41970476Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3131880 sandbox=f05af4dfe9eee78773939d9b8a23b8f0046ea7139eca04b0b591d2803c805ecd source=containerd-kata-shim-v2
time="2021-04-15T11:57:31.558058005Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3092242 sandbox=1c76f565668fa4d9eb64313da5342cd6c26420036da53f44a87c39fb454ddd62 source=containerd-kata-shim-v2
time="2021-04-15T11:57:31.744961017Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3182265 sandbox=4127c198cf3299d1e19297490425e0fe09f3851d748c719bdf94c34893389cfc source=containerd-kata-shim-v2
time="2021-04-15T11:57:31.755811081Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:31.755973338Z" level=warning msg="watcher channel is full, throw notify message" channel-size=128 name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=virtcontainers
time="2021-04-15T11:57:31.892676347Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3182082 sandbox=8898e5b41662c69b6a24ca91d3d547ecba75b63ad1783366935c56defce66c68 source=containerd-kata-shim-v2
time="2021-04-15T11:57:32.000143098Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3181941 sandbox=9743a250323a6afec986a6a00956960003c01a41c73e29e8af1358e27a010352 source=containerd-kata-shim-v2
time="2021-04-15T11:57:32.176821786Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3113972 sandbox=d2d54ec9cc4437ad0414f39315a18ca83fee8bc9a1b542c57ebf299df18c87f3 source=containerd-kata-shim-v2
time="2021-04-15T11:57:32.301408104Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3100790 sandbox=df02a4fd9811e746c9248f3a106234025fea44fe89eec9e3ae85c6cf7fb82fd5 source=containerd-kata-shim-v2
time="2021-04-15T11:57:32.48479145Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3094268 sandbox=ba9758d5f5dca98cb2d539061a9b9af956c433955727b399497fbac4e5caa8a0 source=containerd-kata-shim-v2
time="2021-04-15T11:57:32.656610598Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3091500 sandbox=c908199b8c80a8793386f86142cac92c2194154d3e65a0ae59d6c990942d210d source=containerd-kata-shim-v2
time="2021-04-15T11:57:32.821130397Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3162037 sandbox=8b8b5b11e1607ee8e946f1b250bca96caec1aaf26933dc8e7e377af7cf49d4b7 source=containerd-kata-shim-v2
time="2021-04-15T11:57:32.986281839Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3091784 sandbox=f3c24db5777b10bd1e6311b41792ee778579abfa97bd8239f20cb289a9afac0a source=containerd-kata-shim-v2
time="2021-04-15T11:57:33.151317314Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3147110 sandbox=ac558d5030b1b7f9f4b4087d72db847bd42080eb21976ba3541f2f0d36e56211 source=containerd-kata-shim-v2
time="2021-04-15T11:57:33.28929341Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3090552 sandbox=9b49fa57ce44f3284b6d304411de2dbd9cf9af5166ad054d269595ab755d7983 source=containerd-kata-shim-v2
time="2021-04-15T11:57:33.424812413Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory" name=containerd-shim-v2 pid=3182300 sandbox=5c363c594649f7075ccb2a68b44c72ddc56660ced387532a99de387947d1cbdb source=containerd-kata-shim-v2

---

Container manager details

Container manager details

Kubernetes

Kubernetes

kubectl version

Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.1-5-g76a04fc", GitCommit:"1054107c6f831f2dd69f57e3a3fc926ec4bc6eda", GitTreeState:"clean", BuildDate:"2021-03-21T05:28:24Z", GoVersion:"go1.15.7", Compiler:"gc", Platform:"linux/amd64"}

kubectl config view

apiVersion: v1
clusters: null
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

systemctl show kubelet

Type=notify
Restart=always
NotifyAccess=main
RestartUSec=10s
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
RuntimeMaxUSec=infinity
WatchdogUSec=0
WatchdogTimestamp=Thu 2021-03-25 17:40:51 UTC
WatchdogTimestampMonotonic=24678410
PermissionsStartOnly=no
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=5201
ControlPID=0
FileDescriptorStoreMax=0
NFileDescriptorStore=0
StatusErrno=0
Result=success
UID=[not set]
GID=[not set]
NRestarts=0
ExecMainStartTimestamp=Thu 2021-03-25 17:40:40 UTC
ExecMainStartTimestampMonotonic=13119272
ExecMainExitTimestampMonotonic=0
ExecMainPID=5201
ExecMainCode=0
ExecMainStatus=0
ExecStartPre={ path=/bin/mkdir ; argv[]=/bin/mkdir --parents /etc/kubernetes/manifests ; ignore_errors=no ; start_time=[Thu 2021-03-25 17:40:40 UTC] ; stop_time=[Thu 2021-03-25 17:40:40 UTC] ; pid=5190 ; code=exited ; status=0 }
ExecStartPre={ path=/bin/rm ; argv[]=/bin/rm -f /var/lib/kubelet/cpu_manager_state ; ignore_errors=no ; start_time=[Thu 2021-03-25 17:40:40 UTC] ; stop_time=[Thu 2021-03-25 17:40:40 UTC] ; pid=5199 ; code=exited ; status=0 }
ExecStart={ path=/usr/bin/hyperkube ; argv[]=/usr/bin/hyperkube kubelet --config=/etc/kubernetes/kubelet.conf --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig --kubeconfig=/var/lib/kubelet/kubeconfig --container-runtime=remote --container-runtime-endpoint=/var/run/crio/crio.sock --runtime-cgroups=/system.slice/crio.service --node-labels=node-role.kubernetes.io/worker,node.openshift.io/os_id=${ID} --node-ip=${KUBELET_NODE_IPS} --address=${KUBELET_NODE_IP} --minimum-container-ttl-duration=6m0s --volume-plugin-dir=/etc/kubernetes/kubelet-plugins/volume/exec --cloud-provider= --pod-infra-container-image=quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c649d641be44ad9fa7e837ed019dd3dbc6efc42b372343b9f9936fee1f67bdda --v=${KUBELET_LOG_LEVEL} ; ignore_errors=no ; start_time=[Thu 2021-03-25 17:40:40 UTC] ; stop_time=[n/a] ; pid=5201 ; code=(null) ; status=0/0 }
Slice=system.slice
ControlGroup=/system.slice/kubelet.service
MemoryCurrent=695590912
CPUUsageNSec=625859122254873
EffectiveCPUs=
EffectiveMemoryNodes=
TasksCurrent=1072
IPIngressBytes=18446744073709551615
IPIngressPackets=18446744073709551615
IPEgressBytes=18446744073709551615
IPEgressPackets=18446744073709551615
Delegate=no
CPUAccounting=yes
CPUWeight=[not set]
StartupCPUWeight=[not set]
CPUShares=[not set]
StartupCPUShares=[not set]
CPUQuotaPerSecUSec=infinity
CPUQuotaPeriodUSec=infinity
AllowedCPUs=
AllowedMemoryNodes=
IOAccounting=no
IOWeight=[not set]
StartupIOWeight=[not set]
BlockIOAccounting=yes
BlockIOWeight=[not set]
StartupBlockIOWeight=[not set]
MemoryAccounting=yes
DefaultMemoryLow=0
DefaultMemoryMin=0
MemoryMin=0
MemoryLow=0
MemoryHigh=infinity
MemoryMax=infinity
MemorySwapMax=infinity
MemoryLimit=infinity
DevicePolicy=auto
TasksAccounting=yes
TasksMax=101611
IPAccounting=no
Environment=GODEBUG=x509ignoreCN=0,madvdontneed=1 KUBELET_LOG_LEVEL=2 KUBELET_NODE_IP=192.168.123.120 KUBELET_NODE_IPS=192.168.123.120,fd2e:6f44:5dd8::7f
EnvironmentFiles=/etc/os-release (ignore_errors=no)
EnvironmentFiles=/etc/kubernetes/kubelet-workaround (ignore_errors=yes)
EnvironmentFiles=/etc/kubernetes/kubelet-env (ignore_errors=yes)
UMask=0022
LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=infinity
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=262144
LimitNOFILESoft=1024
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=63507
LimitNPROCSoft=63507
LimitMEMLOCK=65536
LimitMEMLOCKSoft=65536
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=63507
LimitSIGPENDINGSoft=63507
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=0
Nice=0
IOSchedulingClass=0
IOSchedulingPriority=0
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
CPUAffinity=
NUMAPolicy=n/a
NUMAMask=
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardInputData=
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
LogRateLimitIntervalUSec=0
LogRateLimitBurst=0
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend
AmbientCapabilities=
DynamicUser=no
RemoveIPC=no
MountFlags=
PrivateTmp=no
PrivateDevices=no
ProtectKernelTunables=no
ProtectKernelModules=no
ProtectControlGroups=no
PrivateNetwork=no
PrivateUsers=no
PrivateMounts=no
ProtectHome=no
ProtectSystem=no
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=no
SystemCallErrorNumber=0
LockPersonality=no
RuntimeDirectoryPreserve=no
RuntimeDirectoryMode=0755
StateDirectoryMode=0755
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
MemoryDenyWriteExecute=no
RestrictRealtime=no
RestrictSUIDSGID=no
RestrictNamespaces=no
MountAPIVFS=no
KeyringMode=private
KillMode=control-group
KillSignal=15
SendSIGKILL=yes
SendSIGHUP=no
Id=kubelet.service
Names=kubelet.service
Requires=system.slice machine-config-daemon-firstboot.service sysinit.target
Wants=crio.service network-online.target rpc-statd.service
WantedBy=multi-user.target
Conflicts=shutdown.target
Before=multi-user.target shutdown.target
After=basic.target nodeip-configuration.service systemd-journald.socket system.slice machine-config-daemon-firstboot.service ovs-configuration.service ostree-finalize-staged.service crio.service network-online.target sysinit.target
Description=Kubernetes Kubelet
LoadState=loaded
ActiveState=active
FreezerState=running
SubState=running
FragmentPath=/etc/systemd/system/kubelet.service
DropInPaths=/etc/systemd/system/kubelet.service.d/10-mco-default-madv.conf /etc/systemd/system/kubelet.service.d/20-logging.conf /etc/systemd/system/kubelet.service.d/20-nodenet.conf
UnitFileState=enabled
UnitFilePreset=disabled
StateChangeTimestamp=Thu 2021-03-25 17:40:51 UTC
StateChangeTimestampMonotonic=24678412
InactiveExitTimestamp=Thu 2021-03-25 17:40:40 UTC
InactiveExitTimestampMonotonic=13111339
ActiveEnterTimestamp=Thu 2021-03-25 17:40:51 UTC
ActiveEnterTimestampMonotonic=24678412
ActiveExitTimestampMonotonic=0
InactiveEnterTimestampMonotonic=0
CanStart=yes
CanStop=yes
CanReload=no
CanIsolate=no
CanFreeze=yes
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=yes
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Thu 2021-03-25 17:40:40 UTC
ConditionTimestampMonotonic=13110055
AssertTimestamp=Thu 2021-03-25 17:40:40 UTC
AssertTimestampMonotonic=13110056
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
SuccessAction=none
InvocationID=87652744e9d147d88ce54393da3f529f
CollectMode=inactive

crio

crio

crio --version

time="2021-04-15T13:56:06Z" level=info msg="Starting CRI-O, version: 1.21.0-31.rhaos4.8.git30ec358.el8-dev, git: ()"
crio version 1.21.0-31.rhaos4.8.git30ec358.el8-dev
Version:    1.21.0-31.rhaos4.8.git30ec358.el8-dev
GoVersion:  go1.15.7
Compiler:   gc
Platform:   linux/amd64
Linkmode:   dynamic

systemctl show crio

Type=notify
Restart=on-abnormal
NotifyAccess=main
RestartUSec=100ms
TimeoutStartUSec=infinity
TimeoutStopUSec=1min 30s
RuntimeMaxUSec=infinity
WatchdogUSec=0
WatchdogTimestamp=Thu 2021-03-25 17:40:40 UTC
WatchdogTimestampMonotonic=13108770
PermissionsStartOnly=no
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=5121
ControlPID=0
FileDescriptorStoreMax=0
NFileDescriptorStore=0
StatusErrno=0
Result=success
UID=[not set]
GID=[not set]
NRestarts=0
ExecMainStartTimestamp=Thu 2021-03-25 17:40:39 UTC
ExecMainStartTimestampMonotonic=12950437
ExecMainExitTimestampMonotonic=0
ExecMainPID=5121
ExecMainCode=0
ExecMainStatus=0
ExecStart={ path=/usr/bin/crio ; argv[]=/usr/bin/crio --stream-address=${CONTAINER_STREAM_ADDRESS} $CRIO_STORAGE_OPTIONS $CRIO_NETWORK_OPTIONS $CRIO_METRICS_OPTIONS ; ignore_errors=no ; start_time=[Thu 2021-03-25 17:40:39 UTC] ; stop_time=[n/a] ; pid=5121 ; code=(null) ; status=0/0 }
ExecReload={ path=/bin/kill ; argv[]=/bin/kill -s HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
Slice=system.slice
ControlGroup=/system.slice/crio.service
MemoryCurrent=4694732800
CPUUsageNSec=289555548925915
EffectiveCPUs=
EffectiveMemoryNodes=
TasksCurrent=347
IPIngressBytes=18446744073709551615
IPIngressPackets=18446744073709551615
IPEgressBytes=18446744073709551615
IPEgressPackets=18446744073709551615
Delegate=no
CPUAccounting=yes
CPUWeight=[not set]
StartupCPUWeight=[not set]
CPUShares=[not set]
StartupCPUShares=[not set]
CPUQuotaPerSecUSec=infinity
CPUQuotaPeriodUSec=infinity
AllowedCPUs=
AllowedMemoryNodes=
IOAccounting=no
IOWeight=[not set]
StartupIOWeight=[not set]
BlockIOAccounting=yes
BlockIOWeight=[not set]
StartupBlockIOWeight=[not set]
MemoryAccounting=yes
DefaultMemoryLow=0
DefaultMemoryMin=0
MemoryMin=0
MemoryLow=0
MemoryHigh=infinity
MemoryMax=infinity
MemorySwapMax=infinity
MemoryLimit=infinity
DevicePolicy=auto
TasksAccounting=yes
TasksMax=infinity
IPAccounting=no
Environment=GOTRACEBACK=crash GODEBUG=x509ignoreCN=0,madvdontneed=1 ENABLE_PROFILE_UNIX_SOCKET=true CONTAINER_STREAM_ADDRESS=192.168.123.120
EnvironmentFiles=/etc/sysconfig/crio (ignore_errors=yes)
EnvironmentFiles=/etc/sysconfig/crio-metrics (ignore_errors=yes)
EnvironmentFiles=/etc/sysconfig/crio-network (ignore_errors=yes)
EnvironmentFiles=/etc/sysconfig/crio-storage (ignore_errors=yes)
UMask=0022
LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=infinity
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=1048576
LimitNOFILESoft=1048576
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=1048576
LimitNPROCSoft=1048576
LimitMEMLOCK=65536
LimitMEMLOCKSoft=65536
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=63507
LimitSIGPENDINGSoft=63507
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=-999
Nice=0
IOSchedulingClass=0
IOSchedulingPriority=0
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
CPUAffinity=
NUMAPolicy=n/a
NUMAMask=
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardInputData=
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
LogRateLimitIntervalUSec=0
LogRateLimitBurst=0
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend
AmbientCapabilities=
DynamicUser=no
RemoveIPC=no
MountFlags=
PrivateTmp=no
PrivateDevices=no
ProtectKernelTunables=no
ProtectKernelModules=no
ProtectControlGroups=no
PrivateNetwork=no
PrivateUsers=no
PrivateMounts=no
ProtectHome=no
ProtectSystem=no
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=no
SystemCallErrorNumber=0
LockPersonality=no
RuntimeDirectoryPreserve=no
RuntimeDirectoryMode=0755
StateDirectoryMode=0755
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
MemoryDenyWriteExecute=no
RestrictRealtime=no
RestrictSUIDSGID=no
RestrictNamespaces=no
MountAPIVFS=no
KeyringMode=private
KillMode=control-group
KillSignal=15
SendSIGKILL=yes
SendSIGHUP=no
Id=crio.service
Names=crio.service
Requires=machine-config-daemon-firstboot.service system.slice crio-wipe.service sysinit.target
WantedBy=kubelet.service
Conflicts=shutdown.target
Before=kubelet.service shutdown.target
After=sysinit.target ovs-configuration.service nodeip-configuration.service network-online.target systemd-journald.socket system.slice basic.target crio-wipe.service machine-config-daemon-firstboot.service
Documentation=https://github.com/cri-o/cri-o
Description=Open Container Initiative Daemon
LoadState=loaded
ActiveState=active
FreezerState=running
SubState=running
FragmentPath=/usr/lib/systemd/system/crio.service
DropInPaths=/etc/systemd/system/crio.service.d/10-mco-default-madv.conf /etc/systemd/system/crio.service.d/10-mco-profile-unix-socket.conf /etc/systemd/system/crio.service.d/20-nodenet.conf /etc/systemd/system/crio.service.d/20-stream-address.conf
UnitFileState=disabled
UnitFilePreset=disabled
StateChangeTimestamp=Thu 2021-03-25 17:40:40 UTC
StateChangeTimestampMonotonic=13108772
InactiveExitTimestamp=Thu 2021-03-25 17:40:39 UTC
InactiveExitTimestampMonotonic=12950474
ActiveEnterTimestamp=Thu 2021-03-25 17:40:40 UTC
ActiveEnterTimestampMonotonic=13108772
ActiveExitTimestampMonotonic=0
InactiveEnterTimestampMonotonic=0
CanStart=yes
CanStop=yes
CanReload=yes
CanIsolate=no
CanFreeze=yes
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=yes
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Thu 2021-03-25 17:40:39 UTC
ConditionTimestampMonotonic=12948946
AssertTimestamp=Thu 2021-03-25 17:40:39 UTC
AssertTimestampMonotonic=12948946
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
SuccessAction=none
InvocationID=67b836c612614ba1b0696891ce27c643
CollectMode=inactive

crio config

time="2021-04-15T13:56:36Z" level=info msg="Starting CRI-O, version: 1.21.0-31.rhaos4.8.git30ec358.el8-dev, git: ()"
level=info msg="Using default capabilities: CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FSETID, CAP_FOWNER, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_KILL"
# The CRI-O configuration file specifies all of the available configuration
# options and command-line flags for the crio(8) OCI Kubernetes Container Runtime
# daemon, but in a TOML format that can be more easily modified and versioned.
#
# Please refer to crio.conf(5) for details of all configuration options.

# CRI-O supports partial configuration reload during runtime, which can be
# done by sending SIGHUP to the running process. Currently supported options
# are explicitly mentioned with: 'This option supports live configuration
# reload'.

# CRI-O reads its storage defaults from the containers-storage.conf(5) file
# located at /etc/containers/storage.conf. Modify this storage configuration if
# you want to change the system's defaults. If you want to modify storage just
# for CRI-O, you can change the storage configuration options here.
[crio]

# Path to the "root directory". CRI-O stores all of its data, including
# containers images, in this directory.
#root = "/var/lib/containers/storage"

# Path to the "run directory". CRI-O stores all of its state in this directory.
#runroot = "/var/run/containers/storage"

# Storage driver used to manage the storage of images and containers. Please
# refer to containers-storage.conf(5) to see all available storage drivers.
#storage_driver = "overlay"

# List to pass options to the storage driver. Please refer to
# containers-storage.conf(5) to see all available storage options.
#storage_option = [
#]

# The default log directory where all logs will go unless directly specified by
# the kubelet. The log directory specified must be an absolute directory.
log_dir = "/var/log/crio/pods"

# Location for CRI-O to lay down the temporary version file.
# It is used to check if crio wipe should wipe containers, which should
# always happen on a node reboot
version_file = "/var/run/crio/version"

# Location for CRI-O to lay down the persistent version file.
# It is used to check if crio wipe should wipe images, which should
# only happen when CRI-O has been upgraded
version_file_persist = "/var/lib/crio/version"

# Location for CRI-O to lay down the clean shutdown file.
# It is used to check whether crio had time to sync before shutting down.
# If not found, crio wipe will clear the storage directory.
clean_shutdown_file = "/var/lib/crio/clean.shutdown"

# The crio.api table contains settings for the kubelet/gRPC interface.
[crio.api]

# Path to AF_LOCAL socket on which CRI-O will listen.
listen = "/var/run/crio/crio.sock"

# IP address on which the stream server will listen.
stream_address = ""

# The port on which the stream server will listen. If the port is set to "0", then
# CRI-O will allocate a random free port number.
stream_port = "10010"

# Enable encrypted TLS transport of the stream server.
stream_enable_tls = false

# Length of time until open streams terminate due to lack of activity
stream_idle_timeout = ""

# Path to the x509 certificate file used to serve the encrypted stream. This
# file can change, and CRI-O will automatically pick up the changes within 5
# minutes.
stream_tls_cert = ""

# Path to the key file used to serve the encrypted stream. This file can
# change and CRI-O will automatically pick up the changes within 5 minutes.
stream_tls_key = ""

# Path to the x509 CA(s) file used to verify and authenticate client
# communication with the encrypted stream. This file can change and CRI-O will
# automatically pick up the changes within 5 minutes.
stream_tls_ca = ""

# Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024.
grpc_max_send_msg_size = 16777216

# Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024.
grpc_max_recv_msg_size = 16777216

# The crio.runtime table contains settings pertaining to the OCI runtime used
# and options for how to set up and manage the OCI runtime.
[crio.runtime]

# A list of ulimits to be set in containers by default, specified as
# "<ulimit name>=<soft limit>:<hard limit>", for example:
# "nofile=1024:2048"
# If nothing is set here, settings will be inherited from the CRI-O daemon
#default_ulimits = [
#]

# If true, the runtime will not use pivot_root, but instead use MS_MOVE.
no_pivot = false

# decryption_keys_path is the path where the keys required for
# image decryption are stored. This option supports live configuration reload.
decryption_keys_path = "/etc/crio/keys/"

# Path to the conmon binary, used for monitoring the OCI runtime.
# Will be searched for using $PATH if empty.
conmon = "/usr/libexec/crio/conmon"

# Cgroup setting for conmon
conmon_cgroup = "pod"

# Environment variable list for the conmon process, used for passing necessary
# environment variables to conmon or the runtime.
conmon_env = [
	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
]

# Additional environment variables to set for all the
# containers. These are overridden if set in the
# container image spec or in the container runtime configuration.
default_env = [
	"NSS_SDB_USE_CACHE=no",
]

# If true, SELinux will be used for pod separation on the host.
selinux = true

# Path to the seccomp.json profile which is used as the default seccomp profile
# for the runtime. If not specified, then the internal default seccomp profile
# will be used. This option supports live configuration reload.
seccomp_profile = ""

# Changes the meaning of an empty seccomp profile. By default
# (and according to CRI spec), an empty profile means unconfined.
# This option tells CRI-O to treat an empty profile as the default profile,
# which might increase security.
seccomp_use_default_when_empty = false

# Used to change the name of the default AppArmor profile of CRI-O. The default
# profile name is "crio-default". This profile only takes effect if the user
# does not specify a profile via the Kubernetes Pod's metadata annotation. If
# the profile is set to "unconfined", then this equals to disabling AppArmor.
# This option supports live configuration reload.
apparmor_profile = "crio-default"

# Used to change irqbalance service config file path which is used for configuring
# irqbalance daemon.
irqbalance_config_file = "/etc/sysconfig/irqbalance"

# Cgroup management implementation used for the runtime.
cgroup_manager = "systemd"

# Specify whether the image pull must be performed in a separate cgroup.
separate_pull_cgroup = ""

# List of default capabilities for containers. If it is empty or commented out,
# only the capabilities defined in the containers json file by the user/kube
# will be added.
default_capabilities = [
	"CHOWN",
	"DAC_OVERRIDE",
	"FSETID",
	"FOWNER",
	"SETGID",
	"SETUID",
	"SETPCAP",
	"NET_BIND_SERVICE",
	"KILL",
]

# List of default sysctls. If it is empty or commented out, only the sysctls
# defined in the container json file by the user/kube will be added.
default_sysctls = [
	"net.ipv4.ping_group_range=0 2147483647",
]

# List of additional devices. specified as
# "<device-on-host>:<device-on-container>:<permissions>", for example: "--device=/dev/sdc:/dev/xvdc:rwm".
#If it is empty or commented out, only the devices
# defined in the container json file by the user/kube will be added.
additional_devices = [
]

# Path to OCI hooks directories for automatically executed hooks. If one of the
# directories does not exist, then CRI-O will automatically skip them.
hooks_dir = [
	"/etc/containers/oci/hooks.d",
	"/run/containers/oci/hooks.d",
]

# Path to the file specifying the defaults mounts for each container. The
# format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads
# its default mounts from the following two files:
#
#   1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the
#      override file, where users can either add in their own default mounts, or
#      override the default mounts shipped with the package.
#
#   2) /usr/share/containers/mounts.conf: This is the default file read for
#      mounts. If you want CRI-O to read from a different, specific mounts file,
#      you can change the default_mounts_file. Note, if this is done, CRI-O will
#      only add mounts it finds in this file.
#
#default_mounts_file = ""

# Maximum number of processes allowed in a container.
pids_limit = 1024

# Maximum sized allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If it is positive, it must be >= 8192 to
# match/exceed conmon's read buffer. The file is truncated and re-opened so the
# limit is never exceeded.
log_size_max = -1

# Whether container output should be logged to journald in addition to the kuberentes log file
log_to_journald = false

# Path to directory in which container exit files are written to by conmon.
container_exits_dir = "/var/run/crio/exits"

# Path to directory for container attach sockets.
container_attach_socket_dir = "/var/run/crio"

# The prefix to use for the source of the bind mounts.
bind_mount_prefix = ""

# If set to true, all containers will run in read-only mode.
read_only = false

# Changes the verbosity of the logs based on the level it is set to. Options
# are fatal, panic, error, warn, info, debug and trace. This option supports
# live configuration reload.
log_level = "info"

# Filter the log messages by the provided regular expression.
# This option supports live configuration reload.
log_filter = ""

# The UID mappings for the user namespace of each container. A range is
# specified in the form containerUID:HostUID:Size. Multiple ranges must be
# separated by comma.
uid_mappings = ""

# The GID mappings for the user namespace of each container. A range is
# specified in the form containerGID:HostGID:Size. Multiple ranges must be
# separated by comma.
gid_mappings = ""

# The minimal amount of time in seconds to wait before issuing a timeout
# regarding the proper termination of the container. The lowest possible
# value is 30s, whereas lower values are not considered by CRI-O.
ctr_stop_timeout = 30

# drop_infra_ctr determines whether CRI-O drops the infra container
# when a pod does not have a private PID namespace, and does not use
# a kernel separating runtime (like kata).
# It requires manage_ns_lifecycle to be true.
drop_infra_ctr = false

# infra_ctr_cpuset determines what CPUs will be used to run infra containers.
# You can use linux CPU list format to specify desired CPUs.
# To get better isolation for guaranteed pods, set this parameter to be equal to kubelet reserved-cpus.
infra_ctr_cpuset = ""

# The directory where the state of the managed namespaces gets tracked.
# Only used when manage_ns_lifecycle is true.
namespaces_dir = "/var/run"

# pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle
pinns_path = ""

# default_runtime is the _name_ of the OCI runtime to be used as the default.
# The name is matched against the runtimes map below. If this value is changed,
# the corresponding existing entry from the runtimes map below will be ignored.
default_runtime = "runc"

# The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
# The runtime to use is picked based on the runtime_handler provided by the CRI.
# If no runtime_handler is provided, the runtime will be picked based on the level
# of trust of the workload. Each entry in the table should follow the format:
#
#[crio.runtime.runtimes.runtime-handler]
#  runtime_path = "/path/to/the/executable"
#  runtime_type = "oci"
#  runtime_root = "/path/to/the/root"
#  privileged_without_host_devices = false
#  allowed_annotations = []
# Where:
# - runtime-handler: name used to identify the runtime
# - runtime_path (optional, string): absolute path to the runtime executable in
#   the host filesystem. If omitted, the runtime-handler identifier should match
#   the runtime executable name, and the runtime executable should be placed
#   in $PATH.
# - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If
#   omitted, an "oci" runtime is assumed.
# - runtime_root (optional, string): root directory for storage of containers
#   state.
# - privileged_without_host_devices (optional, bool): an option for restricting
#   host devices from being passed to privileged containers.
# - allowed_annotations (optional, array of strings): an option for specifying
#   a list of experimental annotations that this runtime handler is allowed to process.
#   The currently recognized values are:
#   "io.kubernetes.cri-o.userns-mode" for configuring a user namespace for the pod.
#   "io.kubernetes.cri-o.Devices" for configuring devices for the pod.
#   "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm.
#   "io.kubernetes.cri-o.UnifiedCgroup.$CTR_NAME" for configuring the cgroup v2 unified block for a container.
#   "io.containers.trace-syscall" for tracing syscalls via the OCI seccomp BPF hook.


[crio.runtime.runtimes.kata]
runtime_path = "/usr/bin/containerd-shim-kata-v2"
runtime_type = "vm"
runtime_root = "/run/vc"

privileged_without_host_devices = "true"



[crio.runtime.runtimes.runc]
runtime_path = ""
runtime_type = "oci"
runtime_root = "/run/runc"




# crun is a fast and lightweight fully featured OCI runtime and C library for
# running containers
#[crio.runtime.runtimes.crun]

# Kata Containers is an OCI runtime, where containers are run inside lightweight
# VMs. Kata provides additional isolation towards the host, minimizing the host attack
# surface and mitigating the consequences of containers breakout.

# Kata Containers with the default configured VMM
#[crio.runtime.runtimes.kata-runtime]

# Kata Containers with the QEMU VMM
#[crio.runtime.runtimes.kata-qemu]

# Kata Containers with the Firecracker VMM
#[crio.runtime.runtimes.kata-fc]

# The crio.image table contains settings pertaining to the management of OCI images.
#
# CRI-O reads its configured registries defaults from the system wide
# containers-registries.conf(5) located in /etc/containers/registries.conf. If
# you want to modify just CRI-O, you can change the registries configuration in
# this file. Otherwise, leave insecure_registries and registries commented out to
# use the system's defaults from /etc/containers/registries.conf.
[crio.image]

# Default transport for pulling images from a remote container storage.
default_transport = "docker://"

# The path to a file containing credentials necessary for pulling images from
# secure registries. The file is similar to that of /var/lib/kubelet/config.json
global_auth_file = "/var/lib/kubelet/config.json"

# The image used to instantiate infra containers.
# This option supports live configuration reload.
pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c649d641be44ad9fa7e837ed019dd3dbc6efc42b372343b9f9936fee1f67bdda"

# The path to a file containing credentials specific for pulling the pause_image from
# above. The file is similar to that of /var/lib/kubelet/config.json
# This option supports live configuration reload.
pause_image_auth_file = "/var/lib/kubelet/config.json"

# The command to run to have a container stay in the paused state.
# When explicitly set to "", it will fallback to the entrypoint and command
# specified in the pause image. When commented out, it will fallback to the
# default: "/pause". This option supports live configuration reload.
pause_command = "/usr/bin/pod"

# Path to the file which decides what sort of policy we use when deciding
# whether or not to trust an image that we've pulled. It is not recommended that
# this option be used, as the default behavior of using the system-wide default
# policy (i.e., /etc/containers/policy.json) is most often preferred. Please
# refer to containers-policy.json(5) for more details.
signature_policy = ""

# List of registries to skip TLS verification for pulling images. Please
# consider configuring the registries via /etc/containers/registries.conf before
# changing them here.
#insecure_registries = "[]"

# Controls how image volumes are handled. The valid values are mkdir, bind and
# ignore; the latter will ignore volumes entirely.
image_volumes = "mkdir"

# List of registries to be used when pulling an unqualified image (e.g.,
# "alpine:latest"). By default, registries is set to "docker.io" for
# compatibility reasons. Depending on your workload and usecase you may add more
# registries (e.g., "quay.io", "registry.fedoraproject.org",
# "registry.opensuse.org", etc.).
#registries = [
# ]

# Temporary directory to use for storing big files
big_files_temporary_dir = ""

# The crio.network table containers settings pertaining to the management of
# CNI plugins.
[crio.network]

# The default CNI network name to be selected. If not set or "", then
# CRI-O will pick-up the first one found in network_dir.
# cni_default_network = ""

# Path to the directory where CNI configuration files are located.
network_dir = "/etc/kubernetes/cni/net.d/"

# Paths to directories where CNI plugin binaries are located.
plugin_dirs = [
	"/var/lib/cni/bin",
	"/usr/libexec/cni",
]

# A necessary configuration for Prometheus based metrics retrieval
[crio.metrics]

# Globally enable or disable metrics support.
enable_metrics = true

# The port on which the metrics server will listen.
metrics_port = 9537

# Local socket path to bind the metrics server to
metrics_socket = ""

Podman

Podman

podman --version

podman version 2.2.1

podman system info

host:
  arch: amd64
  buildahVersion: 1.18.0
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.21-2.rhaos4.6.el8.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.21, commit: e5c6f4123734b4e16cbd22b8f9475a6d02a52e8e'
  cpus: 8
  distribution:
    distribution: '"rhcos"'
    version: "4.8"
  eventLogger: file
  hostname: worker-0-0.kata-c3d-48-0.qe.lab.redhat.com
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.18.0-240.15.1.el8_3.x86_64
  linkmode: dynamic
  memFree: 5059407872
  memTotal: 16783224832
  ociRuntime:
    name: runc
    package: runc-1.0.0-94.rhaos4.8.git5e27a39.el8.x86_64
    path: /usr/bin/runc
    version: |-
      runc version spec: 1.0.2-dev
      go: go1.15.5
      libseccomp: 2.4.3
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  rootless: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 500h 18m 9.83s (Approximately 20.83 days)
registries:
  quay.io/openshift-release-dev/ocp-v4.0-art-dev:
    Blocked: false
    Insecure: false
    Location: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    MirrorByDigestOnly: true
    Mirrors:
    - Insecure: false
      Location: registry.kata-c3d-48-0.qe.lab.redhat.com:5000/localimages/local-release-image
    Prefix: quay.io/openshift-release-dev/ocp-v4.0-art-dev
  registry-proxy.engineering.redhat.com:
    Blocked: false
    Insecure: false
    Location: registry-proxy.engineering.redhat.com
    MirrorByDigestOnly: true
    Mirrors:
    - Insecure: false
      Location: registry.kata-c3d-48-0.qe.lab.redhat.com:5000
    Prefix: registry-proxy.engineering.redhat.com
  registry.ci.openshift.org/ocp/release:
    Blocked: false
    Insecure: false
    Location: registry.ci.openshift.org/ocp/release
    MirrorByDigestOnly: true
    Mirrors:
    - Insecure: false
      Location: registry.kata-c3d-48-0.qe.lab.redhat.com:5000/localimages/local-release-image
    Prefix: registry.ci.openshift.org/ocp/release
  registry.redhat.io:
    Blocked: false
    Insecure: false
    Location: registry.redhat.io
    MirrorByDigestOnly: true
    Mirrors:
    - Insecure: false
      Location: registry.kata-c3d-48-0.qe.lab.redhat.com:5000
    Prefix: registry.redhat.io
  registry.stage.redhat.io:
    Blocked: false
    Insecure: false
    Location: registry.stage.redhat.io
    MirrorByDigestOnly: true
    Mirrors:
    - Insecure: false
      Location: registry.kata-c3d-48-0.qe.lab.redhat.com:5000
    Prefix: registry.stage.redhat.io
  search:
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 34
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: "2"
  Built: 1612819146
  BuiltTime: Mon Feb  8 21:19:06 2021
  GitCommit: ""
  GoVersion: go1.14.7
  OsArch: linux/amd64
  Version: 2.2.1

cat /etc/containers/registries.conf

unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]

[[registry]]
  prefix = ""
  location = "quay.io/openshift-release-dev/ocp-v4.0-art-dev"
  mirror-by-digest-only = true

  [[registry.mirror]]
    location = "registry.kata-c3d-48-0.qe.lab.redhat.com:5000/localimages/local-release-image"

[[registry]]
  prefix = ""
  location = "registry-proxy.engineering.redhat.com"
  mirror-by-digest-only = true

  [[registry.mirror]]
    location = "registry.kata-c3d-48-0.qe.lab.redhat.com:5000"

[[registry]]
  prefix = ""
  location = "registry.ci.openshift.org/ocp/release"
  mirror-by-digest-only = true

  [[registry.mirror]]
    location = "registry.kata-c3d-48-0.qe.lab.redhat.com:5000/localimages/local-release-image"

[[registry]]
  prefix = ""
  location = "registry.redhat.io"
  mirror-by-digest-only = true

  [[registry.mirror]]
    location = "registry.kata-c3d-48-0.qe.lab.redhat.com:5000"

[[registry]]
  prefix = ""
  location = "registry.stage.redhat.io"
  mirror-by-digest-only = true

  [[registry.mirror]]
    location = "registry.kata-c3d-48-0.qe.lab.redhat.com:5000"

cat /etc/containers/storage.conf

# This file is generated by the Machine Config Operator's containerruntimeconfig controller.
#
# storage.conf is the configuration file for all tools
# that share the containers/storage libraries
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver
driver = "overlay"

# Temporary storage location
runroot = "/var/run/containers/storage"

# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"

[storage.options]
# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
]

# Size is used to set a maximum size of the container image.  Only supported by
# certain container storage drivers.
size = ""

# OverrideKernelCheck tells the driver to ignore kernel checks based on kernel version
override_kernel_check = "true"

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to UIDs/GIDs as they should appear outside of the container, and
# the length of the range of UIDs/GIDs.  Additional mapped sets can be listed
# and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = 0:1668442479:65536
# remap-gids = 0:1668442479:65536

# Remap-User/Group is a name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
# with an in-container ID of 0 and the a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped container-level ID,
# until all of the entries have been used for maps.
#
# remap-user = "storage"
# remap-group = "storage"

[storage.options.thinpool]
# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be
# grown. This is specified in terms of % of pool size. So a value of 20 means
# that when threshold is hit, pool will be grown by 20% of existing
# pool size.
# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms
# of percentage of pool size. For example, if threshold is 60, that means when
# pool is 60% full, threshold has been hit.
# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which
# limits the size of images and containers.
# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.
# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the
# thin pool. Required if you setup devicemapper
# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem
# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.
# fs="xfs"

# log_level sets the log level of devicemapper.
# 0: LogLevelSuppress 0 (Default)
# 2: LogLevelFatal
# 3: LogLevelErr
# 4: LogLevelWarn
# 5: LogLevelNotice
# 6: LogLevelInfo
# 7: LogLevelDebug
# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for
# new device creation to succeed. Valid values are from 0% - 99%.
# Value 0% disables
# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""

# mountopt specifies extra mount options used when mounting the thin devices.
# mountopt = ""

# use_deferred_removal Marking device for deferred removal
# use_deferred_removal = "True"

# use_deferred_deletion Marking device for deferred deletion
# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should
# attempt to complete IO when ENOSPC (no space) error is returned by
# underlying storage device.
# xfs_nospace_max_retries = "0"

cat /etc/containers/policy.json

{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports":
        {
            "docker-daemon":
                {
                    "": [{"type":"insecureAcceptAnything"}]
                }
        }
}

cat /usr/share/containers/containers.conf

# The containers configuration file specifies all of the available configuration
# command-line options/flags for container engine tools like Podman & Buildah,
# but in a TOML format that can be easily modified and versioned.

# Please refer to containers.conf(5) for details of all configuration options.
# Not all container engines implement all of the options.
# All of the options have hard coded defaults and these options will override
# the built in defaults. Users can then override these options via the command
# line. Container engines will read containers.conf files in up to three
# locations in the following order:
#  1. /usr/share/containers/containers.conf
#  2. /etc/containers/containers.conf
#  3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)
#  Items specified in the latter containers.conf, if they exist, override the
# previous containers.conf settings, or the default settings.

[containers]

# List of devices. Specified as
# "<device-on-host>:<device-on-container>:<permissions>", for example:
# "/dev/sdc:/dev/xvdc:rwm".
# If it is empty or commented out, only the default devices will be used
#
# devices = []

# List of volumes. Specified as
# "<directory-on-host>:<directory-in-container>:<options>", for example:
# "/db:/var/lib/db:ro".
# If it is empty or commented out, no volumes will be added
#
# volumes = []

# Used to change the name of the default AppArmor profile of container engine.
#
# apparmor_profile = "container-default"

# List of annotation. Specified as
# "key=value"
# If it is empty or commented out, no annotations will be added
#
# annotations = []

# Default way to to create a cgroup namespace for the container
# Options are:
# `private` Create private Cgroup Namespace for the container.
# `host`    Share host Cgroup Namespace with the container.
#
# cgroupns = "private"

# Control container cgroup configuration
# Determines  whether  the  container will create CGroups.
# Options are:
# `enabled`   Enable cgroup support within container
# `disabled`  Disable cgroup support, will inherit cgroups from parent
# `no-conmon` Container engine runs run without conmon
#
# cgroups = "enabled"

# List of default capabilities for containers. If it is empty or commented out,
# the default capabilities defined in the container engine will be added.
#
# default_capabilities = [
#    "AUDIT_WRITE",
#    "CHOWN",
#    "DAC_OVERRIDE",
#    "FOWNER",
#    "FSETID",
#    "KILL",
#    "MKNOD",
#    "NET_BIND_SERVICE",
#    "NET_RAW",
#    "SETGID",
#    "SETPCAP",
#    "SETUID",
#    "SYS_CHROOT",
# ]

# A list of sysctls to be set in containers by default,
# specified as "name=value",
# for example:"net.ipv4.ping_group_range = 0 1000".
#
# default_sysctls = [
#  "net.ipv4.ping_group_range=0 1000",
# ]

# A list of ulimits to be set in containers by default, specified as
# "<ulimit name>=<soft limit>:<hard limit>", for example:
# "nofile=1024:2048"
# See setrlimit(2) for a list of resource names.
# Any limit not specified here will be inherited from the process launching the
# container engine.
# Ulimits has limits for non privileged container engines.
#
# default_ulimits = [
#  "nofile=1280:2560",
# ]

# List of default DNS options to be added to /etc/resolv.conf inside of the container.
#
# dns_options = []

# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.
#
# dns_searches = []

# Set default DNS servers.
# This option can be used to override the DNS configuration passed to the
# container. The special value "none" can be specified to disable creation of
# /etc/resolv.conf in the container.
# The /etc/resolv.conf file in the image will be used without changes.
#
# dns_servers = []

# Environment variable list for the conmon process; used for passing necessary
# environment variables to conmon or the runtime.
#
# env = [
#    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
#    "TERM=xterm",
# ]

# Pass all host environment variables into the container.
#
# env_host = false

# Default proxy environment variables passed into the container.
# The environment variables passed in include:
# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
# these. This option is needed when host system uses a proxy but container
# should not use proxy. Proxy environment variables specified for the container
# in any other way will override the values passed from the host.
#
# http_proxy = true

# Run an init inside the container that forwards signals and reaps processes.
#
# init = false

#  Container init binary, if init=true, this is the init binary to be used for containers.
#
# init_path = "/usr/libexec/podman/catatonit"

# Default way to to create an IPC namespace (POSIX SysV IPC) for the container
# Options are:
# `private` Create private IPC Namespace for the container.
# `host`    Share host IPC Namespace with the container.
#
# ipcns = "private"

# Flag tells container engine to whether to use container separation using
# MAC(SELinux)labeling or not.
# Flag is ignored on label disabled systems.
#
# label = true

# Logging driver for the container. Available options: k8s-file and journald.
#
# log_driver = "k8s-file"

# Maximum size allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If positive, it must be >= 8192 to match or
# exceed conmon's read buffer. The file is truncated and re-opened so the
# limit is never exceeded.
#
# log_size_max = -1

# Default way to to create a Network namespace for the container
# Options are:
# `private` Create private Network Namespace for the container.
# `host`    Share host Network Namespace with the container.
# `none`    Containers do not use the network
#
# netns = "private"

# Create /etc/hosts for the container.  By default, container engine manage
# /etc/hosts, automatically adding  the container's  own  IP  address.
#
# no_hosts = false

# Maximum number of processes allowed in a container.
#
# pids_limit = 2048

# Default way to to create a PID namespace for the container
# Options are:
# `private` Create private PID Namespace for the container.
# `host`    Share host PID Namespace with the container.
#
# pidns = "private"

# Path to the seccomp.json profile which is used as the default seccomp profile
# for the runtime.
#
# seccomp_profile = "/usr/share/containers/seccomp.json"

# Size of /dev/shm. Specified as <number><unit>.
# Unit is optional, values:
# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
# If the unit is omitted, the system uses bytes.
#
# shm_size = "65536k"

# Set timezone in container. Takes IANA timezones as well as "local",
# which sets the timezone in the container to match the host machine.
#
# tz = ""

# Set umask inside the container
#
# umask="0022"

# Default way to to create a UTS namespace for the container
# Options are:
# `private`        Create private UTS Namespace for the container.
# `host`    Share host UTS Namespace with the container.
#
# utsns = "private"

# Default way to to create a User namespace for the container
# Options are:
# `auto`        Create unique User Namespace for the container.
# `host`    Share host User Namespace with the container.
#
# userns = "host"

# Number of UIDs to allocate for the automatic container creation.
# UIDs are allocated from the "container" UIDs listed in
# /etc/subuid & /etc/subgid
#
# userns_size=65536

# The network table contains settings pertaining to the management of
# CNI plugins.

[network]

# Path to directory where CNI plugin binaries are located.
#
# cni_plugin_dirs = ["/usr/libexec/cni"]

# Path to the directory where CNI configuration files are located.
#
# network_config_dir = "/etc/cni/net.d/"

[engine]

# Cgroup management implementation used for the runtime.
# Valid options "systemd" or "cgroupfs"
#
# cgroup_manager = "systemd"

# Environment variables to pass into conmon
#
# conmon_env_vars = [
#        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# ]

# Paths to look for the conmon container manager binary
#
# conmon_path = [
#        "/usr/libexec/podman/conmon",
#        "/usr/local/libexec/podman/conmon",
#        "/usr/local/lib/podman/conmon",
#        "/usr/bin/conmon",
#        "/usr/sbin/conmon",
#        "/usr/local/bin/conmon",
#        "/usr/local/sbin/conmon"
# ]

# Specify the keys sequence used to detach a container.
# Format is a single character [a-Z] or a comma separated sequence of
# `ctrl-<value>`, where `<value>` is one of:
# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
#
# detach_keys = "ctrl-p,ctrl-q"

# Determines whether engine will reserve ports on the host when they are
# forwarded to containers. When enabled, when ports are forwarded to containers,
# ports are held open by as long as the container is running, ensuring that
# they cannot be reused by other programs on the host. However, this can cause
# significant memory usage if a container has many ports forwarded to it.
# Disabling this can save memory.
#
# enable_port_reservation = true

# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
# For example "http_proxy=internal.proxy.company.com".
# Note these environment variables will not be used within the container.
# Set the env section under [containers] table, if you want to set environment variables for the container.
# env = []

# Selects which logging mechanism to use for container engine events.
# Valid values are `journald`, `file` and `none`.
#
events_logger = "file"

# Path to OCI hooks directories for automatically executed hooks.
#
# hooks_dir = [
#     "/usr/share/containers/oci/hooks.d",
# ]

# Default transport method for pulling and pushing for images
#
# image_default_transport = "docker://"

# Default command to run the infra container
#
# infra_command = "/pause"

# Infra (pause) container image name for pod infra containers.  When running a
# pod, we start a `pause` process in a container to hold open the namespaces
# associated with the  pod.  This container does nothing other then sleep,
# reserving the pods resources for the lifetime of the pod.
#
# infra_image = "k8s.gcr.io/pause:3.2"

# Specify the locking mechanism to use; valid values are "shm" and "file".
# Change the default only if you are sure of what you are doing, in general
# "file" is useful only on platforms where cgo is not available for using the
# faster "shm" lock type.  You may need to run "podman system renumber" after
# you change the lock type.
#
# lock_type** = "shm"

# MultiImageArchive - if true, the container engine allows for storing archives
# (e.g., of the docker-archive transport) with multiple images.  By default,
# Podman creates single-image archives.
#
# multi_image_archive = "false"

# Default engine namespace
# If engine is joined to a namespace, it will see only containers and pods
# that were created in the same namespace, and will create new containers and
# pods in that namespace.
# The default namespace is "", which corresponds to no namespace. When no
# namespace is set, all containers and pods are visible.
#
# namespace = ""

# Path to the slirp4netns binary
#
# network_cmd_path=""

# Whether to use chroot instead of pivot_root in the runtime
#
# no_pivot_root = false

# Number of locks available for containers and pods.
# If this is changed, a lock renumber must be performed (e.g. with the
# 'podman system renumber' command).
#
# num_locks = 2048

# Whether to pull new image before running a container
# pull_policy = "missing"

# Directory for persistent engine files (database, etc)
# By default, this will be configured relative to where the containers/storage
# stores containers
# Uncomment to change location from this default
#
# static_dir = "/var/lib/containers/storage/libpod"

# Directory for temporary files. Must be tmpfs (wiped after reboot)
#
# tmp_dir = "/var/run/libpod"

# Directory for libpod named volumes.
# By default, this will be configured relative to where containers/storage
# stores containers.
# Uncomment to change location from this default.
#
# volume_path = "/var/lib/containers/storage/volumes"

# Default OCI runtime
#
# runtime = "runc"

# List of the OCI runtimes that support --format=json.  When json is supported
# engine will use it for reporting nicer errors.
#
# runtime_supports_json = ["crun", "runc", "kata"]

# List of the OCI runtimes that supports running containers without cgroups.
#
# runtime_supports_nocgroups = ["crun"]

# List of the OCI runtimes that supports running containers with KVM Separation.
#
# runtime_supports_kvm = ["kata"]

# Number of seconds to wait for container to exit before sending kill signal.
# stop_timeout = 10

# Index to the active service
# active_service = production

# map of service destinations
# [service_destinations]
#   [service_destinations.production]
#     URI to access the Podman service
#     Examples:
#       rootless "unix://run/user/$UID/podman/podman.sock" (Default)
#       rootfull "unix://run/podman/podman.sock (Default)
#       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
#       remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock
#     uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"
#     Path to file containing ssh identity key
#     identity = "~/.ssh/id_rsa"

# Paths to look for a valid OCI runtime (runc, runv, kata, etc)
[engine.runtimes]
# runc = [
#        "/usr/bin/runc",
#        "/usr/sbin/runc",
#        "/usr/local/bin/runc",
#        "/usr/local/sbin/runc",
#        "/sbin/runc",
#        "/bin/runc",
#        "/usr/lib/cri-o-runc/sbin/runc",
# ]

# crun = [
#            "/usr/bin/crun",
#            "/usr/sbin/crun",
#            "/usr/local/bin/crun",
#            "/usr/local/sbin/crun",
#            "/sbin/crun",
#            "/bin/crun",
#            "/run/current-system/sw/bin/crun",
# ]

# kata = [
#            "/usr/bin/kata-runtime",
#            "/usr/sbin/kata-runtime",
#            "/usr/local/bin/kata-runtime",
#            "/usr/local/sbin/kata-runtime",
#            "/sbin/kata-runtime",
#            "/bin/kata-runtime",
#            "/usr/bin/kata-qemu",
#            "/usr/bin/kata-fc",
# ]

# The [engine.runtimes] table MUST be the last entry in this file.
# (Unless another table is added)
# TOML does not provide a way to end a table other than a further table being
# defined, so every key hereafter will be part of [runtimes] and not the main
# config.

cat /usr/share/containers/mounts.conf

/usr/share/rhel/secrets:/run/secrets

cat /usr/share/containers/seccomp.json

{
	"defaultAction": "SCMP_ACT_ERRNO",
	"archMap": [
		{
			"architecture": "SCMP_ARCH_X86_64",
			"subArchitectures": [
				"SCMP_ARCH_X86",
				"SCMP_ARCH_X32"
			]
		},
		{
			"architecture": "SCMP_ARCH_AARCH64",
			"subArchitectures": [
				"SCMP_ARCH_ARM"
			]
		},
		{
			"architecture": "SCMP_ARCH_MIPS64",
			"subArchitectures": [
				"SCMP_ARCH_MIPS",
				"SCMP_ARCH_MIPS64N32"
			]
		},
		{
			"architecture": "SCMP_ARCH_MIPS64N32",
			"subArchitectures": [
				"SCMP_ARCH_MIPS",
				"SCMP_ARCH_MIPS64"
			]
		},
		{
			"architecture": "SCMP_ARCH_MIPSEL64",
			"subArchitectures": [
				"SCMP_ARCH_MIPSEL",
				"SCMP_ARCH_MIPSEL64N32"
			]
		},
		{
			"architecture": "SCMP_ARCH_MIPSEL64N32",
			"subArchitectures": [
				"SCMP_ARCH_MIPSEL",
				"SCMP_ARCH_MIPSEL64"
			]
		},
		{
			"architecture": "SCMP_ARCH_S390X",
			"subArchitectures": [
				"SCMP_ARCH_S390"
			]
		}
	],
	"syscalls": [
		{
			"names": [
				"_llseek",
				"_newselect",
				"accept",
				"accept4",
				"access",
				"adjtimex",
				"alarm",
				"bind",
				"brk",
				"capget",
				"capset",
				"chdir",
				"chmod",
				"chown",
				"chown32",
				"clock_adjtime",
				"clock_adjtime64",
				"clock_getres",
				"clock_getres_time64",
				"clock_gettime",
				"clock_gettime64",
				"clock_nanosleep",
				"clock_nanosleep_time64",
				"clone",
				"close",
				"connect",
				"copy_file_range",
				"creat",
				"dup",
				"dup2",
				"dup3",
				"epoll_create",
				"epoll_create1",
				"epoll_ctl",
				"epoll_ctl_old",
				"epoll_pwait",
				"epoll_wait",
				"epoll_wait_old",
				"eventfd",
				"eventfd2",
				"execve",
				"execveat",
				"exit",
				"exit_group",
				"faccessat",
				"faccessat2",
				"fadvise64",
				"fadvise64_64",
				"fallocate",
				"fanotify_mark",
				"fchdir",
				"fchmod",
				"fchmodat",
				"fchown",
				"fchown32",
				"fchownat",
				"fcntl",
				"fcntl64",
				"fdatasync",
				"fgetxattr",
				"flistxattr",
				"flock",
				"fork",
				"fremovexattr",
				"fsetxattr",
				"fstat",
				"fstat64",
				"fstatat64",
				"fstatfs",
				"fstatfs64",
				"fsync",
				"ftruncate",
				"ftruncate64",
				"futex",
				"futimesat",
				"get_robust_list",
				"get_thread_area",
				"getcpu",
				"getcwd",
				"getdents",
				"getdents64",
				"getegid",
				"getegid32",
				"geteuid",
				"geteuid32",
				"getgid",
				"getgid32",
				"getgroups",
				"getgroups32",
				"getitimer",
				"getpeername",
				"getpgid",
				"getpgrp",
				"getpid",
				"getppid",
				"getpriority",
				"getrandom",
				"getresgid",
				"getresgid32",
				"getresuid",
				"getresuid32",
				"getrlimit",
				"getrusage",
				"getsid",
				"getsockname",
				"getsockopt",
				"gettid",
				"gettimeofday",
				"getuid",
				"getuid32",
				"getxattr",
				"inotify_add_watch",
				"inotify_init",
				"inotify_init1",
				"inotify_rm_watch",
				"io_cancel",
				"io_destroy",
				"io_getevents",
				"io_setup",
				"io_submit",
				"ioctl",
				"ioprio_get",
				"ioprio_set",
				"ipc",
				"keyctl",
				"kill",
				"lchown",
				"lchown32",
				"lgetxattr",
				"link",
				"linkat",
				"listen",
				"listxattr",
				"llistxattr",
				"lremovexattr",
				"lseek",
				"lsetxattr",
				"lstat",
				"lstat64",
				"madvise",
				"memfd_create",
				"mincore",
				"mkdir",
				"mkdirat",
				"mknod",
				"mknodat",
				"mlock",
				"mlock2",
				"mlockall",
				"mmap",
				"mmap2",
				"mount",
				"mprotect",
				"mq_getsetattr",
				"mq_notify",
				"mq_open",
				"mq_timedreceive",
				"mq_timedsend",
				"mq_unlink",
				"mremap",
				"msgctl",
				"msgget",
				"msgrcv",
				"msgsnd",
				"msync",
				"munlock",
				"munlockall",
				"munmap",
				"name_to_handle_at",
				"nanosleep",
				"newfstatat",
				"open",
				"openat",
				"openat2",
				"pause",
				"pidfd_getfd",
				"pipe",
				"pipe2",
				"pivot_root",
				"poll",
				"ppoll",
				"ppoll_time64",
				"prctl",
				"pread64",
				"preadv",
				"preadv2",
				"prlimit64",
				"pselect6",
				"pselect6_time64",
				"pwrite64",
				"pwritev",
				"pwritev2",
				"read",
				"readahead",
				"readlink",
				"readlinkat",
				"readv",
				"reboot",
				"recv",
				"recvfrom",
				"recvmmsg",
				"recvmsg",
				"remap_file_pages",
				"removexattr",
				"rename",
				"renameat",
				"renameat2",
				"restart_syscall",
				"rmdir",
				"rt_sigaction",
				"rt_sigpending",
				"rt_sigprocmask",
				"rt_sigqueueinfo",
				"rt_sigreturn",
				"rt_sigsuspend",
				"rt_sigtimedwait",
				"rt_tgsigqueueinfo",
				"sched_get_priority_max",
				"sched_get_priority_min",
				"sched_getaffinity",
				"sched_getattr",
				"sched_getparam",
				"sched_getscheduler",
				"sched_rr_get_interval",
				"sched_setaffinity",
				"sched_setattr",
				"sched_setparam",
				"sched_setscheduler",
				"sched_yield",
				"seccomp",
				"select",
				"semctl",
				"semget",
				"semop",
				"semtimedop",
				"send",
				"sendfile",
				"sendfile64",
				"sendmmsg",
				"sendmsg",
				"sendto",
				"set_robust_list",
				"set_thread_area",
				"set_tid_address",
				"setfsgid",
				"setfsgid32",
				"setfsuid",
				"setfsuid32",
				"setgid",
				"setgid32",
				"setgroups",
				"setgroups32",
				"setitimer",
				"setpgid",
				"setpriority",
				"setregid",
				"setregid32",
				"setresgid",
				"setresgid32",
				"setresuid",
				"setresuid32",
				"setreuid",
				"setreuid32",
				"setrlimit",
				"setsid",
				"setsockopt",
				"setuid",
				"setuid32",
				"setxattr",
				"shmat",
				"shmctl",
				"shmdt",
				"shmget",
				"shutdown",
				"sigaltstack",
				"signalfd",
				"signalfd4",
				"sigreturn",
				"socket",
				"socket",
				"socketcall",
				"socketpair",
				"splice",
				"stat",
				"stat64",
				"statfs",
				"statfs64",
				"statx",
				"symlink",
				"symlinkat",
				"sync",
				"sync_file_range",
				"syncfs",
				"sysinfo",
				"syslog",
				"tee",
				"tgkill",
				"time",
				"timer_create",
				"timer_delete",
				"timer_getoverrun",
				"timer_gettime",
				"timer_gettime64",
				"timer_settime",
				"timerfd_create",
				"timerfd_gettime",
				"timerfd_gettime64",
				"timerfd_settime",
				"timerfd_settime64",
				"times",
				"tkill",
				"truncate",
				"truncate64",
				"ugetrlimit",
				"umask",
				"umount",
				"umount2",
				"uname",
				"unlink",
				"unlinkat",
				"unshare",
				"utime",
				"utimensat",
				"utimensat_time64",
				"utimes",
				"vfork",
				"vmsplice",
				"wait4",
				"waitid",
				"waitpid",
				"write",
				"writev"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {},
			"excludes": {}
		},
		{
			"names": [
				"personality"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [
				{
					"index": 0,
					"value": 0,
					"valueTwo": 0,
					"op": "SCMP_CMP_EQ"
				}
			],
			"comment": "",
			"includes": {},
			"excludes": {}
		},
		{
			"names": [
				"personality"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [
				{
					"index": 0,
					"value": 8,
					"valueTwo": 0,
					"op": "SCMP_CMP_EQ"
				}
			],
			"comment": "",
			"includes": {},
			"excludes": {}
		},
		{
			"names": [
				"personality"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [
				{
					"index": 0,
					"value": 131072,
					"valueTwo": 0,
					"op": "SCMP_CMP_EQ"
				}
			],
			"comment": "",
			"includes": {},
			"excludes": {}
		},
		{
			"names": [
				"personality"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [
				{
					"index": 0,
					"value": 131080,
					"valueTwo": 0,
					"op": "SCMP_CMP_EQ"
				}
			],
			"comment": "",
			"includes": {},
			"excludes": {}
		},
		{
			"names": [
				"personality"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [
				{
					"index": 0,
					"value": 4294967295,
					"valueTwo": 0,
					"op": "SCMP_CMP_EQ"
				}
			],
			"comment": "",
			"includes": {},
			"excludes": {}
		},
		{
			"names": [
				"sync_file_range2"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"arches": [
					"ppc64le"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"arm_fadvise64_64",
				"arm_sync_file_range",
				"sync_file_range2",
				"breakpoint",
				"cacheflush",
				"set_tls"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"arches": [
					"arm",
					"arm64"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"arch_prctl"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"arches": [
					"amd64",
					"x32"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"modify_ldt"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"arches": [
					"amd64",
					"x32",
					"x86"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"s390_pci_mmio_read",
				"s390_pci_mmio_write",
				"s390_runtime_instr"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"arches": [
					"s390",
					"s390x"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"open_by_handle_at"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_DAC_READ_SEARCH"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"bpf",
				"clone",
				"fanotify_init",
				"lookup_dcookie",
				"mount",
				"name_to_handle_at",
				"perf_event_open",
				"quotactl",
				"setdomainname",
				"sethostname",
				"setns",
				"umount",
				"umount2",
				"unshare"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_ADMIN"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"clone"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [
				{
					"index": 0,
					"value": 2080505856,
					"valueTwo": 0,
					"op": "SCMP_CMP_MASKED_EQ"
				}
			],
			"comment": "",
			"includes": {},
			"excludes": {
				"caps": [
					"CAP_SYS_ADMIN"
				],
				"arches": [
					"s390",
					"s390x"
				]
			}
		},
		{
			"names": [
				"clone"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [
				{
					"index": 1,
					"value": 2080505856,
					"valueTwo": 0,
					"op": "SCMP_CMP_MASKED_EQ"
				}
			],
			"comment": "s390 parameter ordering for clone is different",
			"includes": {
				"arches": [
					"s390",
					"s390x"
				]
			},
			"excludes": {
				"caps": [
					"CAP_SYS_ADMIN"
				]
			}
		},
		{
			"names": [
				"reboot"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_BOOT"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"chroot"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_CHROOT"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"delete_module",
				"init_module",
				"finit_module",
				"query_module"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_MODULE"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"get_mempolicy",
				"mbind",
				"name_to_handle_at",
				"set_mempolicy"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_NICE"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"acct"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_PACCT"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"kcmp",
				"process_vm_readv",
				"process_vm_writev",
				"ptrace"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_PTRACE"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"iopl",
				"ioperm"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_RAWIO"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"settimeofday",
				"stime",
				"clock_settime",
				"clock_settime64"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_TIME"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"vhangup"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_TTY_CONFIG"
				]
			},
			"excludes": {}
		},
		{
			"names": [
				"socket"
			],
			"action": "SCMP_ACT_ERRNO",
			"args": [
				{
					"index": 0,
					"value": 16,
					"valueTwo": 0,
					"op": "SCMP_CMP_EQ"
				},
				{
					"index": 2,
					"value": 9,
					"valueTwo": 0,
					"op": "SCMP_CMP_EQ"
				}
			],
			"comment": "",
			"includes": {},
			"excludes": {
				"caps": [
					"CAP_AUDIT_WRITE"
				]
			},
			"errnoRet": 22
		},
		{
			"names": [
				"socket"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [
				{
					"index": 2,
					"value": 9,
					"valueTwo": 0,
					"op": "SCMP_CMP_NE"
				}
			],
			"comment": "",
			"includes": {},
			"excludes": {
				"caps": [
					"CAP_AUDIT_WRITE"
				]
			}
		},
		{
			"names": [
				"socket"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [
				{
					"index": 0,
					"value": 16,
					"valueTwo": 0,
					"op": "SCMP_CMP_NE"
				}
			],
			"comment": "",
			"includes": {},
			"excludes": {
				"caps": [
					"CAP_AUDIT_WRITE"
				]
			}
		},
		{
			"names": [
				"socket"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [
				{
					"index": 2,
					"value": 9,
					"valueTwo": 0,
					"op": "SCMP_CMP_NE"
				}
			],
			"comment": "",
			"includes": {},
			"excludes": {
				"caps": [
					"CAP_AUDIT_WRITE"
				]
			}
		},
		{
			"names": [
				"socket"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": null,
			"comment": "",
			"includes": {
				"caps": [
					"CAP_AUDIT_WRITE"
				]
			},
			"excludes": {}
		}
	]
}

---

Packages

Packages

No dpkg
Have rpm

rpm -qa|egrep "(cc-oci-runtime|cc-runtime|runv|kata-runtime|kata-ksm-throttler|kata-containers-image|linux-container|qemu-)"

qemu-kvm-common-5.1.0-20.module+el8.3.1+9918+230f5c26.x86_64
qemu-guest-agent-4.2.0-34.module+el8.3.0+9903+ca3e42fb.4.x86_64
ipxe-roms-qemu-20181214-6.git133f4c47.el8.noarch
qemu-kiwi-5.1.0-20.module+el8.3.1+9918+230f5c26.x86_64

---

Kata Monitor

Kata Monitor kata-monitor.

kata-monitor --version

kata-monitor
 Version:	0.1.0
 Go version:	go1.13.4
 Git commit:	3e7173828955b61d9b2bf6e0f59712fb9a5c8b98
 OS/Arch:	linux/amd64

---

[c3d]

@fidencio Added the kata configuration to the description.

[sepich]

It seems kata can only use half of Host memory.
Here is what i've checked on at latest v2.1.0-alpha2:

• Host is empty hw k8s node 32Gb, 16cpu. Config is default_memory=2048, sandbox_cgroup_only=true, runtimeclass overhead is 2Gb
• I can schedule pod 4cpu/4Gb and do OOM inside:

$ kubectl exec -it test -- tail /dev/zero
command terminated with exit code 9

so it seems overhead and cgroup limits are configured ok, and process is killed inside VM guest. VM by itself continue to work.

• Now if i start 4x of such pods (4x4Gb ~= 16Gb, when host has 32Gb), and then do tail /dev/zero in each of them - it is fine for only 3. When it is done in last one, (no matter in which order) the VM would reboot. If I delete first pod, and leave only 3 - then i'm able to do tail /dev/zero in all of them (even in last one just restated)

• The issue could be reproduced more easily - by scheduling just one pod with memory limit of 20Gb

$ k exec -it test -- bash
root@test:/# free -h
              total        used        free      shared  buff/cache   available
Mem:           21Gi       342Mi        21Gi       0.0Ki       6.0Mi        21Gi
Swap:            0B          0B          0B
root@test:/# tail /dev/zero

And being dropped out of console. Pod/VM restarts

Host logs

journalctl -f | grep -v ' virtiofsd\['

Apr 17 08:58:03 blade-021 kata[39526]: time="2021-04-17T08:58:03.737727273Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820163] rcu: INFO: rcu_sched self-detected stall on CPU"
Apr 17 08:58:03 blade-021 kata[39526]: time="2021-04-17T08:58:03.737781594Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820267] rcu: \t4-....: (5249 ticks this GP) idle=b1e/1/0x4000000000000000 softirq=981/981 fqs=2615 "
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737727273Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820163] rcu: INFO: rcu_sched self-detected stall on CPU"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737781594Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820267] rcu: \t4-....: (5249 ticks this GP) idle=b1e/1/0x4000000000000000 softirq=981/981 fqs=2615 "
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737801801Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820299] \t(t=5250 jiffies g=3257 q=233)"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737815997Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820315] NMI backtrace for cpu 4"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737833158Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820327] CPU: 4 PID: 326 Comm: stress Not tainted 5.10.25 #1"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737849444Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820358] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737865971Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820399] Call Trace:"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737885407Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820418]  <IRQ>"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737913139Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820442]  dump_stack+0x57/0x6a"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737941586Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820468]  nmi_cpu_backtrace+0x9a/0xb0"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737960226Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820492]  ? lapic_can_unplug_cpu+0x90/0x90"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737974961Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820513]  nmi_trigger_cpumask_backtrace+0xca/0x100"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.737990912Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820528]  rcu_dump_cpu_stacks+0x9b/0xc9"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738024402Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820548]  rcu_sched_clock_irq+0x5d5/0x7e0"
Apr 17 08:58:03 blade-021 kata[39526]: time="2021-04-17T08:58:03.737801801Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820299] \t(t=5250 jiffies g=3257 q=233)"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738056771Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820584]  ? tick_sched_handle.isra.23+0x40/0x40"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738072858Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820609]  update_process_times+0x50/0x70"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738087671Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820627]  tick_sched_timer+0x36/0x70"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738109864Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820643]  __hrtimer_run_queues+0xf2/0x190"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738125480Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820661]  hrtimer_interrupt+0x11d/0x260"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738139968Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820675]  __sysvec_apic_timer_interrupt+0x4f/0x80"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738155740Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820691]  asm_call_irq_on_stack+0xf/0x20"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738171545Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820709]  </IRQ>"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738186026Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820720]  sysvec_apic_timer_interrupt+0x6c/0x80"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738204443Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820740]  asm_sysvec_apic_timer_interrupt+0x12/0x20"
Apr 17 08:58:03 blade-021 containerd[33839]: time="2021-04-17T08:58:03.738226228Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422/console.sock name=containerd-shim-v2 pid=39526 sandbox=7b174f8597497e26be1099fdce269971ed0902280651659c8f8b33165ec18422 source=virtcontainers subsystem=sandbox vmconsole="[  588.820758] RIP: 0010:clear_page_erms+0x7/0x10"

The same cpu stall when trying to do OOM via stress -m 1 --vm-bytes 20G --vm-keep. Seconds before restart console gets hung, and do not react to pressing Ctrl-C.
It is happening on bundled vmlinux.container and kata-containers.img. Should I try to pack own kernel/rootfs and check on them, or it is hypervisor related?

[sepich]

Retested on bundled configuration-clh.toml and it works fine, so it seems to be qemu related issue.

[sepich]

Also, it works on qemu when shared_fs = "virtio-9p"