Docker 26 breaks kata networking

[markmartirosian]

Docker 26 breaks kata networking

Description of problem

Docker version 26.0.0, build 2ae903e breaks io.containerd.run.kata.v2 networking. Cross posted moby/issues/47626.

Actual result

$ docker run --runtime io.containerd.run.kata.v2 -it alpine
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

$ journalctl -f
systemd[1]: var-lib-docker-overlay2-0e310c0c6a1dfb72c203eb6da8a5c28f9065a68b7479aff184f0dabf97e3f002\x2dinit-merged.mount: Deactivated successfully.
kernel: docker0: port 1(vethc3ec1b1) entered blocking state
kernel: docker0: port 1(vethc3ec1b1) entered disabled state
kernel: device vethc3ec1b1 entered promiscuous mode
NetworkManager[68177]: <info>  [1711318722.2169] manager: (veth0977992): new Veth device (/org/freedesktop/NetworkManager/Devices/73)
NetworkManager[68177]: <info>  [1711318722.2182] manager: (vethc3ec1b1): new Veth device (/org/freedesktop/NetworkManager/Devices/74)
dockerd[187544]: time="2024-03-24T22:18:42.239702887Z" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers"
kata[188717]: time="2024-03-24T22:18:42.322220402Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=188717 sandbox=559c2a20614a0728ddbe22e3f1c1f205088c02dacee31bdb10dd520238c0147f source=cgroups
containerd[111560]: time="2024-03-24T22:18:42.322220402Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=188717 sandbox=559c2a20614a0728ddbe22e3f1c1f205088c02dacee31bdb10dd520238c0147f source=cgroups
virtiofsd[188731]: hostname virtiofsd[188726]: Waiting for vhost-user socket connection...
virtiofsd[188731]: hostname virtiofsd[188726]: Client connected, servicing requests
kernel: eth0: renamed from veth0977992
kernel: IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
kernel: docker0: port 1(vethc3ec1b1) entered blocking state
kernel: docker0: port 1(vethc3ec1b1) entered forwarding state
NetworkManager[68177]: <info>  [1711318724.1607] device (vethc3ec1b1): carrier: link connected
NetworkManager[68177]: <info>  [1711318724.1610] device (docker0): carrier: link connected
gnome-shell[10207]: Removing a network device that was not added
tailscaled[9891]: Accept: TCP{100.102.157.85:54999 > 100.121.116.65:22} 104 tcp non-syn
tailscaled[9891]: Accept: TCP{100.102.157.85:54999 > 100.121.116.65:22} 104 tcp non-syn
tailscaled[9891]: Accept: TCP{100.121.116.65:22 > 100.102.157.85:54999} 52 ok out
tailscaled[9891]: Accept: TCP{100.102.157.85:54999 > 100.121.116.65:22} 104 tcp non-syn

Expected result

$ sudo dnf install -y docker-compose-plugin-2.25.0-1.el9.x86_64 \
  docker-ce-cli-1:25.0.5-1.el9.x86_64 \
  docker-ce-rootless-extras-25.0.5-1.el9.x86_64 \
  docker-ce-3:25.0.5-1.el9.x86_64

$ docker run --runtime io.containerd.run.kata.v2 -it alpine
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:2/64 scope link tentative
       valid_lft forever preferred_lft forever

Further Information

Both scenarios have the same containerd version 1.6.28. Docker on it's own works as expected.

Show kata-collect-data.sh details

Meta details

Running kata-collect-data.sh version 3.2.0 (commit f7fd8841a40720945640174b2c3b5fd0d261c73a) at 2024-03-24.22:38:31.613855869+0000.

---

Runtime

Runtime is /usr/bin/kata-runtime.

kata-env

/usr/bin/kata-runtime kata-env

[Kernel]
  Path = "/usr/lib/modules/5.14.0-362.24.1.el9_3.x86_64/vmlinuz"
  Parameters = "scsi_mod.scan=none"

[Meta]
  Version = "1.0.26"

[Image]
  Path = ""

[Initrd]
  Path = "/var/cache/kata-containers/osbuilder-images/5.14.0-362.24.1.el9_3.x86_64/\"rhel\"-kata-5.14.0-362.24.1.el9_3.x86_64.initrd"

[Hypervisor]
  MachineType = "q35"
  Version = "QEMU emulator version 8.2.2 (qemu-8.2.2-1.el9)\nCopyright (c) 2003-2023 Fabrice Bellard and the QEMU Project developers"
  Path = "/usr/bin/qemu-system-x86_64"
  BlockDeviceDriver = "virtio-scsi"
  EntropySource = "/dev/urandom"
  SharedFS = "virtio-fs"
  VirtioFSDaemon = "/usr/libexec/virtiofsd"
  SocketPath = ""
  Msize9p = 8192
  MemorySlots = 10
  HotPlugVFIO = "no-port"
  ColdPlugVFIO = "no-port"
  Debug = false

[Runtime]
  Path = "/usr/bin/kata-runtime"
  GuestSeLinuxLabel = ""
  Debug = false
  Trace = false
  DisableGuestSeccomp = true
  DisableNewNetNs = false
  SandboxCgroupOnly = true
  [Runtime.Config]
    Path = "/usr/share/kata-containers/defaults/configuration.toml"
  [Runtime.Version]
    OCI = "1.0.2-dev"
    [Runtime.Version.Version]
      Semver = "3.2.0"
      Commit = "f7fd8841a40720945640174b2c3b5fd0d261c73a"
      Major = 3
      Minor = 2
      Patch = 0

[Host]
  Kernel = "5.14.0-362.24.1.el9_3.x86_64"
  Architecture = "amd64"
  VMContainerCapable = true
  SupportVSocks = true
  [Host.Distro]
    Name = "Red Hat Enterprise Linux"
    Version = "9.3"
  [Host.CPU]
    Vendor = "GenuineIntel"
    Model = "Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz"
    CPUs = 8
  [Host.Memory]
    Total = 16003952
    Free = 4511036
    Available = 12926532

[Agent]
  Debug = false
  Trace = false

---

Runtime config files

Runtime config files

Runtime default config files

/etc/kata-containers/configuration.toml
/usr/share/kata-containers/defaults/configuration.toml

Runtime config file contents

Config file /etc/kata-containers/configuration.toml not found
Config file /usr/share/defaults/kata-containers/configuration.toml not found

cat "/usr/share/kata-containers/defaults/configuration.toml"

# Copyright (c) 2017-2019 Intel Corporation
# Copyright (c) 2021 Adobe Inc.
#
# SPDX-License-Identifier: Apache-2.0
#

# XXX: WARNING: this file is auto-generated.
# XXX:
# XXX: Source file: "config/configuration-qemu.toml.in"
# XXX: Project:
# XXX:   Name: Kata Containers
# XXX:   Type: kata

[hypervisor.qemu]
path = "/usr/bin/qemu-system-x86_64"
kernel = "/var/cache/kata-containers/vmlinuz.container"
initrd = "/var/cache/kata-containers/kata-containers-initrd.img"
# initrd = "/usr/share/kata-containers/kata-containers-initrd.img"
machine_type = "q35"

# rootfs filesystem type:
#   - ext4 (default)
#   - xfs
#   - erofs
rootfs_type="ext4"

# Enable confidential guest support.
# Toggling that setting may trigger different hardware features, ranging
# from memory encryption to both memory and CPU-state encryption and integrity.
# The Kata Containers runtime dynamically detects the available feature set and
# aims at enabling the largest possible one, returning an error if none is
# available, or none is supported by the hypervisor.
#
# Known limitations:
# * Does not work by design:
#   - CPU Hotplug
#   - Memory Hotplug
#   - NVDIMM devices
#
# Default false
# confidential_guest = true

# Choose AMD SEV-SNP confidential guests
# In case of using confidential guests on AMD hardware that supports both SEV
# and SEV-SNP, the following enables SEV-SNP guests. SEV guests are default.
# Default false
# sev_snp_guest = true

# Enable running QEMU VMM as a non-root user.
# By default QEMU VMM run as root. When this is set to true, QEMU VMM process runs as
# a non-root random user. See documentation for the limitations of this mode.
# rootless = true

# List of valid annotation names for the hypervisor
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
enable_annotations = [".*"]

# List of valid annotations values for the hypervisor
# Each member of the list is a path pattern as described by glob(3).
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: ["/usr/bin/qemu-system-x86_64"]
valid_hypervisor_paths = ["/usr/bin/qemu-system-x86_64"]

# Optional space-separated list of options to pass to the guest kernel.
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
# trouble running pre-2.15 glibc.
#
# WARNING: - any parameter specified here will take priority over the default
# parameter value of the same name used to start the virtual machine.
# Do not set values here unless you understand the impact of doing so as you
# may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries.
kernel_params = ""

# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty
firmware = ""

# Path to the firmware volume.
# firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
# as configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI variables
# can be customized per each user while UEFI code is kept same.
firmware_volume = ""

# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
machine_accelerators=""

# Qemu seccomp sandbox feature
# comma-separated list of seccomp sandbox features to control the syscall access.
# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
# Another note: enabling this feature may reduce performance, you may enable
# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
#seccompsandbox="on,obsolete=deny,spawn=deny,resourcecontrol=deny"

# CPU features
# comma-separated list of cpu features to pass to the cpu
# For example, `cpu_features = "pmu=off,vmx=off"
cpu_features="pmu=off"

# Default number of vCPUs per SB/VM:
# unspecified or 0                --> will be set to 1
# < 0                             --> will be set to the actual number of physical cores
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores      --> will be set to the actual number of physical cores
default_vcpus = 1

# Default maximum number of vCPUs per SB/VM:
# unspecified or == 0             --> will be set to the actual number of physical cores or to the maximum number
#                                     of vCPUs supported by KVM if that number is exceeded
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores      --> will be set to the actual number of physical cores or to the maximum number
#                                     of vCPUs supported by KVM if that number is exceeded
# WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when
# the actual number of physical cores is greater than it.
# WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU
# the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs
# can be added to a SB/VM, but the memory footprint will be big. Another example, with
# `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of
# vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable,
# unless you know what are you doing.
# NOTICE: on arm platform with gicv2 interrupt controller, set it to 8.
default_maxvcpus = 0

# Bridges can be used to hot plug devices.
# Limitations:
# * Currently only pci bridges are supported
# * Until 30 devices per bridge can be hot plugged.
# * Until 5 PCI bridges can be cold plugged per VM.
#   This limitation could be a bug in qemu or in the kernel
# Default number of bridges per SB/VM:
# unspecified or 0   --> will be set to 1
# > 1 <= 5           --> will be set to the specified number
# > 5                --> will be set to 5
default_bridges = 1

# Default memory size in MiB for SB/VM.
# If unspecified then it will be set 2048 MiB.
default_memory = 2048
#
# Default memory slots per SB/VM.
# If unspecified then it will be set 10.
# This is will determine the times that memory will be hotadded to sandbox/VM.
#memory_slots = 10

# Default maximum memory in MiB per SB / VM
# unspecified or == 0           --> will be set to the actual amount of physical RAM
# > 0 <= amount of physical RAM --> will be set to the specified number
# > amount of physical RAM      --> will be set to the actual amount of physical RAM
default_maxmemory = 0

# The size in MiB will be plused to max memory of hypervisor.
# It is the memory address space for the NVDIMM devie.
# If set block storage driver (block_device_driver) to "nvdimm",
# should set memory_offset to the size of block device.
# Default 0
#memory_offset = 0

# Specifies virtio-mem will be enabled or not.
# Please note that this option should be used with the command
# "echo 1 > /proc/sys/vm/overcommit_memory".
# Default false
#enable_virtio_mem = true

# Disable block device from being used for a container's rootfs.
# In case of a storage driver like devicemapper where a container's
# root file system is backed by a block device, the block device is passed
# directly to the hypervisor for performance reasons.
# This flag prevents the block device from being passed to the hypervisor,
# virtio-fs is used instead to pass the rootfs.
disable_block_device_use = false

# Shared file system type:
#   - virtio-fs (default)
#   - virtio-9p
#   - virtio-fs-nydus
#   - none
# WARNING: "none" should be carefully used, and only used in very few specific cases, as
# any update to the mount will *NOT* be reflected during the lifecycle of the pod, causing
# issues with rotation of secrets, certs, or configurations via kubernetes objects like
# configMaps or secrets, as those will be copied into the guest at *pod* *creation* *time*.
shared_fs = "virtio-fs"

# Path to vhost-user-fs daemon.
virtio_fs_daemon = "/usr/libexec/virtiofsd"

# List of valid annotations values for the virtiofs daemon
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: ["/usr/libexec/virtiofsd"]
valid_virtio_fs_daemon_paths = ["/usr/libexec/virtiofsd"]

# Default size of DAX cache in MiB
virtio_fs_cache_size = 0

# Default size of virtqueues
virtio_fs_queue_size = 1024

# Extra args for virtiofsd daemon
#
# Format example:
#   ["--arg1=xxx", "--arg2=yyy"]
# Examples:
#   Set virtiofsd log level to debug : ["--log-level=debug"]
#
# see `virtiofsd -h` for possible options.
virtio_fs_extra_args = ["--thread-pool-size=1", "--announce-submounts"]

# Cache mode:
#
#  - never
#    Metadata, data, and pathname lookup are not cached in guest. They are
#    always fetched from host and any changes are immediately pushed to host.
#
#  - auto
#    Metadata and pathname lookup cache expires after a configured amount of
#    time (default is 1 second). Data is cached while the file is open (close
#    to open consistency).
#
#  - always
#    Metadata, data, and pathname lookup are cached in guest and never expire.
virtio_fs_cache = "auto"

# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device. This is virtio-scsi, virtio-blk
# or nvdimm.
block_device_driver = "virtio-scsi"

# aio is the I/O mechanism used by qemu
# Options:
#
#   - threads
#     Pthread based disk I/O.
#
#   - native
#     Native Linux I/O.
#
#   - io_uring
#     Linux io_uring API. This provides the fastest I/O operations on Linux, requires kernel>5.1 and
#     qemu >=5.0.
block_device_aio = "io_uring"

# Specifies cache-related options will be set to block devices or not.
# Default false
#block_device_cache_set = true

# Specifies cache-related options for block devices.
# Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
# Default false
#block_device_cache_direct = true

# Specifies cache-related options for block devices.
# Denotes whether flush requests for the device are ignored.
# Default false
#block_device_cache_noflush = true

# Enable iothreads (data-plane) to be used. This causes IO to be
# handled in a separate IO thread. This is currently only implemented
# for SCSI.
#
enable_iothreads = false

# Enable pre allocation of VM RAM, default false
# Enabling this will result in lower container density
# as all of the memory will be allocated and locked
# This is useful when you want to reserve all the memory
# upfront or in the cases where you want memory latencies
# to be very predictable
# Default false
#enable_mem_prealloc = true

# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.
# This is useful when you want to use vhost-user network
# stacks within the container. This will automatically
# result in memory pre allocation
#enable_hugepages = true

# Enable vhost-user storage device, default false
# Enabling this will result in some Linux reserved block type
# major range 240-254 being chosen to represent vhost-user devices.
enable_vhost_user_store = false

# The base directory specifically used for vhost-user devices.
# Its sub-path "block" is used for block devices; "block/sockets" is
# where we expect vhost-user sockets to live; "block/devices" is where
# simulated block device nodes for vhost-user devices to live.
vhost_user_store_path = "/var/run/kata-containers/vhost-user"

# Enable vIOMMU, default false
# Enabling this will result in the VM having a vIOMMU device
# This will also add the following options to the kernel's
# command line: intel_iommu=on,iommu=pt
#enable_iommu = true

# Enable IOMMU_PLATFORM, default false
# Enabling this will result in the VM device having iommu_platform=on set
#enable_iommu_platform = true

# List of valid annotations values for the vhost user store path
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: ["/var/run/kata-containers/vhost-user"]
valid_vhost_user_store_paths = ["/var/run/kata-containers/vhost-user"]

# The timeout for reconnecting on non-server spdk sockets when the remote end goes away.
# qemu will delay this many seconds and then attempt to reconnect.
# Zero disables reconnecting, and the default is zero.
vhost_user_reconnect_timeout_sec = 0

# Enable file based guest memory support. The default is an empty string which
# will disable this feature. In the case of virtio-fs, this is enabled
# automatically and '/dev/shm' is used as the backing folder.
# This option will be ignored if VM templating is enabled.
#file_mem_backend = ""

# List of valid annotations values for the file_mem_backend annotation
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: [""]
valid_file_mem_backends = [""]

# -pflash can add image file to VM. The arguments of it should be in format
# of ["/path/to/flash0.img", "/path/to/flash1.img"]
pflashes = []

# This option changes the default hypervisor and kernel parameters
# to enable debug output where available.
#
# Default false
#enable_debug = true

# This option allows to add an extra HMP or QMP socket when `enable_debug = true`
#
# WARNING: Anyone with access to the extra socket can take full control of
# Qemu. This is for debugging purpose only and must *NEVER* be used in
# production.
#
# Valid values are :
# - "hmp"
# - "qmp"
# - "qmp-pretty" (same as "qmp" with pretty json formatting)
#
# If set to the empty string "", no extra monitor socket is added. This is
# the default.
#extra_monitor_socket = hmp

# Disable the customizations done in the runtime when it detects
# that it is running on top a VMM. This will result in the runtime
# behaving as it would when running on bare metal.
#
#disable_nesting_checks = true

# This is the msize used for 9p shares. It is the number of bytes
# used for 9p packet payload.
#msize_9p = 8192

# If false and nvdimm is supported, use nvdimm device to plug guest image.
# Otherwise virtio-block device is used.
#
# nvdimm is not supported when `confidential_guest = true`.
#
# Default is false
#disable_image_nvdimm = true

# VFIO devices are hotplugged on a bridge by default.
# Enable hotplugging on root bus. This may be required for devices with
# a large PCI bar, as this is a current limitation with hotplugging on
# a bridge.
# Default false
#hotplug_vfio_on_root_bus = true

# Enable hot-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is  "no-port"
#hot_plug_vfio = "root-port"

# In a confidential compute environment hot-plugging can compromise
# security.
# Enable cold-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is  "no-port", which means disabled.
#cold_plug_vfio = "root-port"

# Before hot plugging a PCIe device, you need to add a pcie_root_port device.
# Use this parameter when using some large PCI bar devices, such as Nvidia GPU
# The value means the number of pcie_root_port
# This value is valid when hotplug_vfio_on_root_bus is true and machine_type is "q35"
# Default 0
#pcie_root_port = 2

# If vhost-net backend for virtio-net is not desired, set to true. Default is false, which trades off
# security (vhost-net runs ring0) for network I/O performance.
#disable_vhost_net = true

#
# Default entropy source.
# The path to a host source of entropy (including a real hardware RNG)
# /dev/urandom and /dev/random are two main options.
# Be aware that /dev/random is a blocking source of entropy.  If the host
# runs out of entropy, the VMs boot time will increase leading to get startup
# timeouts.
# The source of entropy /dev/urandom is non-blocking and provides a
# generally acceptable source of entropy. It should work well for pretty much
# all practical purposes.
#entropy_source= "/dev/urandom"

# List of valid annotations values for entropy_source
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: ["/dev/urandom","/dev/random",""]
valid_entropy_sources = ["/dev/urandom","/dev/random",""]

# Path to OCI hook binaries in the *guest rootfs*.
# This does not affect host-side hooks which must instead be added to
# the OCI spec passed to the runtime.
#
# You can create a rootfs with hooks by customizing the osbuilder scripts:
# https://github.com/kata-containers/kata-containers/tree/main/tools/osbuilder
#
# Hooks must be stored in a subdirectory of guest_hook_path according to their
# hook type, i.e. "guest_hook_path/{prestart,poststart,poststop}".
# The agent will scan these directories for executable files and add them, in
# lexicographical order, to the lifecycle of the guest container.
# Hooks are executed in the runtime namespace of the guest. See the official documentation:
# https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
# Warnings will be logged if any error is encountered while scanning for hooks,
# but it will not abort container execution.
#guest_hook_path = "/usr/share/oci/hooks"
#
# Use rx Rate Limiter to control network I/O inbound bandwidth(size in bits/sec for SB/VM).
# In Qemu, we use classful qdiscs HTB(Hierarchy Token Bucket) to discipline traffic.
# Default 0-sized value means unlimited rate.
#rx_rate_limiter_max_rate = 0
# Use tx Rate Limiter to control network I/O outbound bandwidth(size in bits/sec for SB/VM).
# In Qemu, we use classful qdiscs HTB(Hierarchy Token Bucket) and ifb(Intermediate Functional Block)
# to discipline traffic.
# Default 0-sized value means unlimited rate.
#tx_rate_limiter_max_rate = 0

# Set where to save the guest memory dump file.
# If set, when GUEST_PANICKED event occurred,
# guest memeory will be dumped to host filesystem under guest_memory_dump_path,
# This directory will be created automatically if it does not exist.
#
# The dumped file(also called vmcore) can be processed with crash or gdb.
#
# WARNING:
#   Dump guest’s memory can take very long depending on the amount of guest memory
#   and use much disk space.
#guest_memory_dump_path="/var/crash/kata"

# If enable paging.
# Basically, if you want to use "gdb" rather than "crash",
# or need the guest-virtual addresses in the ELF vmcore,
# then you should enable paging.
#
# See: https://www.qemu.org/docs/master/qemu-qmp-ref.html#Dump-guest-memory for details
#guest_memory_dump_paging=false

# Enable swap in the guest. Default false.
# When enable_guest_swap is enabled, insert a raw file to the guest as the swap device
# if the swappiness of a container (set by annotation "io.katacontainers.container.resource.swappiness")
# is bigger than 0.
# The size of the swap device should be
# swap_in_bytes (set by annotation "io.katacontainers.container.resource.swap_in_bytes") - memory_limit_in_bytes.
# If swap_in_bytes is not set, the size should be memory_limit_in_bytes.
# If swap_in_bytes and memory_limit_in_bytes is not set, the size should
# be default_memory.
#enable_guest_swap = true

# use legacy serial for guest console if available and implemented for architecture. Default false
#use_legacy_serial = true

# disable applying SELinux on the VMM process (default false)
disable_selinux=false

# disable applying SELinux on the container process
# If set to false, the type `container_t` is applied to the container process by default.
# Note: To enable guest SELinux, the guest rootfs must be CentOS that is created and built
# with `SELINUX=yes`.
# (default: true)
disable_guest_selinux=true


[factory]
# VM templating support. Once enabled, new VMs are created from template
# using vm cloning. They will share the same initial kernel, initramfs and
# agent memory by mapping it readonly. It helps speeding up new container
# creation and saves a lot of memory if there are many kata containers running
# on the same host.
#
# When disabled, new VMs are created from scratch.
#
# Note: Requires "initrd=" to be set ("image=" is not supported).
#
# Default false
#enable_template = true

# Specifies the path of template.
#
# Default "/run/vc/vm/template"
#template_path = "/run/vc/vm/template"

# The number of caches of VMCache:
# unspecified or == 0   --> VMCache is disabled
# > 0                   --> will be set to the specified number
#
# VMCache is a function that creates VMs as caches before using it.
# It helps speed up new container creation.
# The function consists of a server and some clients communicating
# through Unix socket.  The protocol is gRPC in protocols/cache/cache.proto.
# The VMCache server will create some VMs and cache them by factory cache.
# It will convert the VM to gRPC format and transport it when gets
# requestion from clients.
# Factory grpccache is the VMCache client.  It will request gRPC format
# VM and convert it back to a VM.  If VMCache function is enabled,
# kata-runtime will request VM from factory grpccache when it creates
# a new sandbox.
#
# Default 0
#vm_cache_number = 0

# Specify the address of the Unix socket that is used by VMCache.
#
# Default /var/run/kata-containers/cache.sock
#vm_cache_endpoint = "/var/run/kata-containers/cache.sock"

[agent.kata]
# If enabled, make the agent display debug-level messages.
# (default: disabled)
#enable_debug = true

# Enable agent tracing.
#
# If enabled, the agent will generate OpenTelemetry trace spans.
#
# Notes:
#
# - If the runtime also has tracing enabled, the agent spans will be
#   associated with the appropriate runtime parent span.
# - If enabled, the runtime will wait for the container to shutdown,
#   increasing the container shutdown time slightly.
#
# (default: disabled)
#enable_tracing = true

# Comma separated list of kernel modules and their parameters.
# These modules will be loaded in the guest kernel using modprobe(8).
# The following example can be used to load two kernel modules with parameters
#  - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"]
# The first word is considered as the module name and the rest as its parameters.
# Container will not be started when:
#  * A kernel module is specified and the modprobe command is not installed in the guest
#    or it fails loading the module.
#  * The module is not available in the guest or it doesn't met the guest kernel
#    requirements, like architecture and version.
#
kernel_modules=[]

# Enable debug console.

# If enabled, user can connect guest OS running inside hypervisor
# through "kata-runtime exec <sandbox-id>" command

#debug_console_enabled = true

# Agent connection dialing timeout value in seconds
# (default: 45)
dial_timeout = 45

[runtime]
# If enabled, the runtime will log additional debug messages to the
# system log
# (default: disabled)
#enable_debug = true
#
# Internetworking model
# Determines how the VM should be connected to the
# the container network interface
# Options:
#
#   - macvtap
#     Used when the Container network interface can be bridged using
#     macvtap.
#
#   - none
#     Used when customize network. Only creates a tap device. No veth pair.
#
#   - tcfilter
#     Uses tc filter rules to redirect traffic from the network interface
#     provided by plugin to a tap interface connected to the VM.
#
internetworking_model="tcfilter"

# disable guest seccomp
# Determines whether container seccomp profiles are passed to the virtual
# machine and applied by the kata agent. If set to true, seccomp is not applied
# within the guest
# (default: true)
disable_guest_seccomp=true

# vCPUs pinning settings
# if enabled, each vCPU thread will be scheduled to a fixed CPU
# qualified condition: num(vCPU threads) == num(CPUs in sandbox's CPUSet)
# enable_vcpus_pinning = false

# Apply a custom SELinux security policy to the container process inside the VM.
# This is used when you want to apply a type other than the default `container_t`,
# so general users should not uncomment and apply it.
# (format: "user:role:type")
# Note: You cannot specify MCS policy with the label because the sensitivity levels and
# categories are determined automatically by high-level container runtimes such as containerd.
#guest_selinux_label="system_u:system_r:container_t"

# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)
#enable_tracing = true

# Set the full url to the Jaeger HTTP Thrift collector.
# The default if not set will be "http://localhost:14268/api/traces"
#jaeger_endpoint = ""

# Sets the username to be used if basic auth is required for Jaeger.
#jaeger_user = ""

# Sets the password to be used if basic auth is required for Jaeger.
#jaeger_password = ""

# If enabled, the runtime will not create a network namespace for shim and hypervisor processes.
# This option may have some potential impacts to your host. It should only be used when you know what you're doing.
# `disable_new_netns` conflicts with `internetworking_model=tcfilter` and `internetworking_model=macvtap`. It works only
# with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
# (like OVS) directly.
# (default: false)
#disable_new_netns = true

# if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
# The container cgroups in the host are not created, just one single cgroup per sandbox.
# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
# The sandbox cgroup is constrained if there is no container type annotation.
# See: https://pkg.go.dev/github.com/kata-containers/kata-containers/src/runtime/virtcontainers#ContainerType
sandbox_cgroup_only=true

# If enabled, the runtime will attempt to determine appropriate sandbox size (memory, CPU) before booting the virtual machine. In
# this case, the runtime will not dynamically update the amount of memory and CPU in the virtual machine. This is generally helpful
# when a hardware architecture or hypervisor solutions is utilized which does not support CPU and/or memory hotplug.
# Compatibility for determining appropriate sandbox (VM) size:
# - When running with pods, sandbox sizing information will only be available if using Kubernetes >= 1.23 and containerd >= 1.6. CRI-O
#   does not yet support sandbox sizing annotations.
# - When running single containers using a tool like ctr, container sizing information will be available.
static_sandbox_resource_mgmt=false

# If specified, sandbox_bind_mounts identifieds host paths to be mounted (ro) into the sandboxes shared path.
# This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted into the shared fs directory.
# If defaults are utilized, these mounts should be available in the guest at `/run/kata-containers/shared/containers/sandbox-mounts`
# These will not be exposed to the container workloads, and are only provided for potential guest services.
sandbox_bind_mounts=[]

# VFIO Mode
# Determines how VFIO devices should be be presented to the container.
# Options:
#
#  - vfio
#    Matches behaviour of OCI runtimes (e.g. runc) as much as
#    possible.  VFIO devices will appear in the container as VFIO
#    character devices under /dev/vfio.  The exact names may differ
#    from the host (they need to match the VM's IOMMU group numbers
#    rather than the host's)
#
#  - guest-kernel
#    This is a Kata-specific behaviour that's useful in certain cases.
#    The VFIO device is managed by whatever driver in the VM kernel
#    claims it.  This means it will appear as one or more device nodes
#    or network interfaces depending on the nature of the device.
#    Using this mode requires specially built workloads that know how
#    to locate the relevant device interfaces within the VM.
#
vfio_mode="guest-kernel"

# If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will
# be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
disable_guest_empty_dir=false

# Enabled experimental feature list, format: ["a", "b"].
# Experimental features are features not stable enough for production,
# they may break compatibility, and are prepared for a big version bump.
# Supported experimental features:
# (default: [])
experimental=[]

# If enabled, user can run pprof tools with shim v2 process through kata-monitor.
# (default: false)
# enable_pprof = true

# WARNING: All the options in the following section have not been implemented yet.
# This section was added as a placeholder. DO NOT USE IT!
[image]
# Container image service.
#
# Offload the CRI image management service to the Kata agent.
# (default: false)
#service_offload = true

# Container image decryption keys provisioning.
# Applies only if service_offload is true.
# Keys can be provisioned locally (e.g. through a special command or
# a local file) or remotely (usually after the guest is remotely attested).
# The provision setting is a complete URL that lets the Kata agent decide
# which method to use in order to fetch the keys.
#
# Keys can be stored in a local file, in a measured and attested initrd:
#provision=data:///local/key/file
#
# Keys could be fetched through a special command or binary from the
# initrd (guest) image, e.g. a firmware call:
#provision=file:///path/to/bin/fetcher/in/guest
#
# Keys can be remotely provisioned. The Kata agent fetches them from e.g.
# a HTTPS URL:
#provision=https://my-key-broker.foo/tenant/<tenant-id>

---

Containerd shim v2

Containerd shim v2 is /usr/bin/containerd-shim-kata-v2.

containerd-shim-kata-v2 --version

Kata Containers containerd shim (Golang): id: "io.containerd.kata.v2", version: 3.2.0, commit: f7fd8841a40720945640174b2c3b5fd0d261c73a

---

KSM throttler

KSM throttler

version

systemd service

Image details

Image details

No image

---

Initrd details

Initrd details

unknown

---

Logfiles

Logfiles

Runtime logs

Runtime logs

No recent runtime problems found in system journal.

Throttler logs

Throttler logs

No recent throttler problems found in system journal.

Kata Containerd Shim v2 logs

---

Container manager details

Container manager details

Docker

Docker

docker version

Client: Docker Engine - Community
 Version:           26.0.0
 API version:       1.45
 Go version:        go1.21.8
 Git commit:        2ae903e
 Built:             Wed Mar 20 15:19:53 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          26.0.0
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.8
  Git commit:       8b79278
  Built:            Wed Mar 20 15:18:08 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    26.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.13.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.25.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 12
  Running: 0
  Paused: 0
  Stopped: 12
 Images: 5
 Server Version: 26.0.0
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.14.0-362.24.1.el9_3.x86_64
 Operating System: Red Hat Enterprise Linux 9.3 (Plow)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.26GiB
 Name: hostname
 ID: d868649a-7d74-44dc-8769-8af5f3546bf3
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

systemctl show docker

Type=notify
ExitType=main
Restart=always
NotifyAccess=main
RestartUSec=2s
TimeoutStartUSec=infinity
TimeoutStopUSec=1min 30s
TimeoutAbortUSec=1min 30s
TimeoutStartFailureMode=terminate
TimeoutStopFailureMode=terminate
RuntimeMaxUSec=infinity
RuntimeRandomizedExtraUSec=0
WatchdogUSec=0
WatchdogTimestampMonotonic=0
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=192662
ControlPID=0
FileDescriptorStoreMax=0
NFileDescriptorStore=0
StatusErrno=0
Result=success
ReloadResult=success
CleanResult=success
UID=[not set]
GID=[not set]
NRestarts=0
OOMPolicy=continue
ExecMainStartTimestamp=Sun 2024-03-24 22:38:08 UTC
ExecMainStartTimestampMonotonic=116880469450
ExecMainExitTimestampMonotonic=0
ExecMainPID=192662
ExecMainCode=0
ExecMainStatus=0
ExecStart={ path=/usr/bin/dockerd ; argv[]=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ; ignore_errors=no ; start_time=[Sun 2024-03-24 22:38:08 UTC] ; stop_time=[n/a] ; pid=192662 ; code=(null) ; status=0/0 }
ExecStartEx={ path=/usr/bin/dockerd ; argv[]=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ; flags= ; start_time=[Sun 2024-03-24 22:38:08 UTC] ; stop_time=[n/a] ; pid=192662 ; code=(null) ; status=0/0 }
ExecReload={ path=/bin/kill ; argv[]=/bin/kill -s HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecReloadEx={ path=/bin/kill ; argv[]=/bin/kill -s HUP $MAINPID ; flags= ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
Slice=system.slice
ControlGroup=/system.slice/docker.service
ControlGroupId=18332
MemoryCurrent=42672128
MemoryAvailable=infinity
CPUUsageNSec=538642000
EffectiveCPUs=0-7
EffectiveMemoryNodes=0
TasksCurrent=19
IPIngressBytes=[no data]
IPIngressPackets=[no data]
IPEgressBytes=[no data]
IPEgressPackets=[no data]
IOReadBytes=18446744073709551615
IOReadOperations=18446744073709551615
IOWriteBytes=18446744073709551615
IOWriteOperations=18446744073709551615
Delegate=yes
DelegateControllers=cpu cpuacct cpuset io blkio memory devices pids bpf-firewall bpf-devices bpf-foreign bpf-socket-bind bpf-restrict-network-interfaces
CPUAccounting=yes
CPUWeight=[not set]
StartupCPUWeight=[not set]
CPUShares=[not set]
StartupCPUShares=[not set]
CPUQuotaPerSecUSec=infinity
CPUQuotaPeriodUSec=infinity
IOAccounting=no
IOWeight=[not set]
StartupIOWeight=[not set]
BlockIOAccounting=no
BlockIOWeight=[not set]
StartupBlockIOWeight=[not set]
MemoryAccounting=yes
DefaultMemoryLow=0
DefaultMemoryMin=0
MemoryMin=0
MemoryLow=0
MemoryHigh=infinity
MemoryMax=infinity
MemorySwapMax=infinity
MemoryLimit=infinity
DevicePolicy=auto
TasksAccounting=yes
TasksMax=infinity
IPAccounting=no
ManagedOOMSwap=auto
ManagedOOMMemoryPressure=auto
ManagedOOMMemoryPressureLimit=0
ManagedOOMPreference=none
UMask=0022
LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=infinity
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=524288
LimitNOFILESoft=1024
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=infinity
LimitNPROCSoft=infinity
LimitMEMLOCK=8388608
LimitMEMLOCKSoft=8388608
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=62242
LimitSIGPENDINGSoft=62242
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=-500
CoredumpFilter=0x33
Nice=0
IOSchedulingClass=2
IOSchedulingPriority=4
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
CPUAffinityFromNUMA=no
NUMAPolicy=n/a
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
LogRateLimitIntervalUSec=0
LogRateLimitBurst=0
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend cap_audit_read cap_perfmon cap_bpf cap_checkpoint_restore
DynamicUser=no
RemoveIPC=no
PrivateTmp=no
PrivateDevices=no
ProtectClock=no
ProtectKernelTunables=no
ProtectKernelModules=no
ProtectKernelLogs=no
ProtectControlGroups=no
PrivateNetwork=no
PrivateUsers=no
PrivateMounts=no
PrivateIPC=no
ProtectHome=no
ProtectSystem=no
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=no
SystemCallErrorNumber=2147483646
LockPersonality=no
RuntimeDirectoryPreserve=no
RuntimeDirectoryMode=0755
StateDirectoryMode=0755
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
TimeoutCleanUSec=infinity
MemoryDenyWriteExecute=no
RestrictRealtime=no
RestrictSUIDSGID=no
RestrictNamespaces=no
MountAPIVFS=no
KeyringMode=private
ProtectProc=default
ProcSubset=all
ProtectHostname=no
KillMode=process
KillSignal=15
RestartKillSignal=15
FinalKillSignal=9
SendSIGKILL=yes
SendSIGHUP=no
WatchdogSignal=6
Id=docker.service
Names=docker.service
Requires=system.slice sysinit.target docker.socket
Wants=containerd.service network-online.target
WantedBy=multi-user.target
Conflicts=shutdown.target
Before=shutdown.target multi-user.target
After=firewalld.service sysinit.target network-online.target containerd.service systemd-journald.socket time-set.target docker.socket basic.target system.slice
TriggeredBy=docker.socket
Documentation=https://docs.docker.com
Description=Docker Application Container Engine
AccessSELinuxContext=system_u:object_r:container_unit_file_t:s0
LoadState=loaded
ActiveState=active
FreezerState=running
SubState=running
FragmentPath=/usr/lib/systemd/system/docker.service
UnitFileState=enabled
UnitFilePreset=disabled
StateChangeTimestamp=Sun 2024-03-24 22:38:09 UTC
StateChangeTimestampMonotonic=116881776854
InactiveExitTimestamp=Sun 2024-03-24 22:38:08 UTC
InactiveExitTimestampMonotonic=116880469773
ActiveEnterTimestamp=Sun 2024-03-24 22:38:09 UTC
ActiveEnterTimestampMonotonic=116881776854
ActiveExitTimestamp=Sun 2024-03-24 22:38:08 UTC
ActiveExitTimestampMonotonic=116880446668
InactiveEnterTimestamp=Sun 2024-03-24 22:38:08 UTC
InactiveEnterTimestampMonotonic=116880467315
CanStart=yes
CanStop=yes
CanReload=yes
CanIsolate=no
CanFreeze=yes
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnSuccessJobMode=fail
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=no
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Sun 2024-03-24 22:38:08 UTC
ConditionTimestampMonotonic=116880468098
AssertTimestamp=Sun 2024-03-24 22:38:08 UTC
AssertTimestampMonotonic=116880468099
Transient=no
Perpetual=no
StartLimitIntervalUSec=1min
StartLimitBurst=3
StartLimitAction=none
FailureAction=none
SuccessAction=none
InvocationID=0400172e18f744659c73d60cc853d8cf
CollectMode=inactive

containerd

containerd

containerd --version

containerd containerd.io 1.6.28 ae07eda36dd25f8a1b98dfbf587313b99c0190bb

systemctl show containerd

Type=notify
ExitType=main
Restart=always
NotifyAccess=main
RestartUSec=5s
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
TimeoutAbortUSec=1min 30s
TimeoutStartFailureMode=terminate
TimeoutStopFailureMode=terminate
RuntimeMaxUSec=infinity
RuntimeRandomizedExtraUSec=0
WatchdogUSec=0
WatchdogTimestampMonotonic=0
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=111560
ControlPID=0
FileDescriptorStoreMax=0
NFileDescriptorStore=0
StatusErrno=0
Result=success
ReloadResult=success
CleanResult=success
UID=[not set]
GID=[not set]
NRestarts=0
OOMPolicy=continue
ExecMainStartTimestamp=Sun 2024-03-24 19:58:59 UTC
ExecMainStartTimestampMonotonic=107331311641
ExecMainExitTimestampMonotonic=0
ExecMainPID=111560
ExecMainCode=0
ExecMainStatus=0
ExecStartPre={ path=/sbin/modprobe ; argv[]=/sbin/modprobe overlay ; ignore_errors=yes ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecStartPreEx={ path=/sbin/modprobe ; argv[]=/sbin/modprobe overlay ; flags=ignore-failure ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecStart={ path=/usr/bin/containerd ; argv[]=/usr/bin/containerd ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecStartEx={ path=/usr/bin/containerd ; argv[]=/usr/bin/containerd ; flags= ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
Slice=system.slice
ControlGroup=/system.slice/containerd.service
ControlGroupId=15077
MemoryCurrent=46051328
MemoryAvailable=infinity
CPUUsageNSec=28857224000
EffectiveCPUs=0-7
EffectiveMemoryNodes=0
TasksCurrent=14
IPIngressBytes=[no data]
IPIngressPackets=[no data]
IPEgressBytes=[no data]
IPEgressPackets=[no data]
IOReadBytes=18446744073709551615
IOReadOperations=18446744073709551615
IOWriteBytes=18446744073709551615
IOWriteOperations=18446744073709551615
Delegate=yes
DelegateControllers=cpu cpuacct cpuset io blkio memory devices pids bpf-firewall bpf-devices bpf-foreign bpf-socket-bind bpf-restrict-network-interfaces
CPUAccounting=yes
CPUWeight=[not set]
StartupCPUWeight=[not set]
CPUShares=[not set]
StartupCPUShares=[not set]
CPUQuotaPerSecUSec=infinity
CPUQuotaPeriodUSec=infinity
IOAccounting=no
IOWeight=[not set]
StartupIOWeight=[not set]
BlockIOAccounting=no
BlockIOWeight=[not set]
StartupBlockIOWeight=[not set]
MemoryAccounting=yes
DefaultMemoryLow=0
DefaultMemoryMin=0
MemoryMin=0
MemoryLow=0
MemoryHigh=infinity
MemoryMax=infinity
MemorySwapMax=infinity
MemoryLimit=infinity
DevicePolicy=auto
TasksAccounting=yes
TasksMax=infinity
IPAccounting=no
ManagedOOMSwap=auto
ManagedOOMMemoryPressure=auto
ManagedOOMMemoryPressureLimit=0
ManagedOOMPreference=none
UMask=0022
LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=infinity
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=infinity
LimitNOFILESoft=infinity
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=infinity
LimitNPROCSoft=infinity
LimitMEMLOCK=8388608
LimitMEMLOCKSoft=8388608
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=62242
LimitSIGPENDINGSoft=62242
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=-999
CoredumpFilter=0x33
Nice=0
IOSchedulingClass=2
IOSchedulingPriority=4
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
CPUAffinityFromNUMA=no
NUMAPolicy=n/a
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
LogRateLimitIntervalUSec=0
LogRateLimitBurst=0
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend cap_audit_read cap_perfmon cap_bpf cap_checkpoint_restore
DynamicUser=no
RemoveIPC=no
PrivateTmp=no
PrivateDevices=no
ProtectClock=no
ProtectKernelTunables=no
ProtectKernelModules=no
ProtectKernelLogs=no
ProtectControlGroups=no
PrivateNetwork=no
PrivateUsers=no
PrivateMounts=no
PrivateIPC=no
ProtectHome=no
ProtectSystem=no
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=no
SystemCallErrorNumber=2147483646
LockPersonality=no
RuntimeDirectoryPreserve=no
RuntimeDirectoryMode=0755
StateDirectoryMode=0755
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
TimeoutCleanUSec=infinity
MemoryDenyWriteExecute=no
RestrictRealtime=no
RestrictSUIDSGID=no
RestrictNamespaces=no
MountAPIVFS=no
KeyringMode=private
ProtectProc=default
ProcSubset=all
ProtectHostname=no
KillMode=process
KillSignal=15
RestartKillSignal=15
FinalKillSignal=9
SendSIGKILL=yes
SendSIGHUP=no
WatchdogSignal=6
Id=containerd.service
Names=containerd.service
Requires=sysinit.target system.slice
WantedBy=docker.service multi-user.target
Conflicts=shutdown.target
Before=docker.service multi-user.target shutdown.target
After=sysinit.target network.target systemd-journald.socket basic.target local-fs.target system.slice
Documentation=https://containerd.io
Description=containerd container runtime
AccessSELinuxContext=system_u:object_r:container_unit_file_t:s0
LoadState=loaded
ActiveState=active
FreezerState=running
SubState=running
FragmentPath=/usr/lib/systemd/system/containerd.service
UnitFileState=enabled
UnitFilePreset=disabled
StateChangeTimestamp=Sun 2024-03-24 19:58:59 UTC
StateChangeTimestampMonotonic=107331355538
InactiveExitTimestamp=Sun 2024-03-24 19:58:59 UTC
InactiveExitTimestampMonotonic=107331306743
ActiveEnterTimestamp=Sun 2024-03-24 19:58:59 UTC
ActiveEnterTimestampMonotonic=107331355538
ActiveExitTimestamp=Sun 2024-03-24 19:58:59 UTC
ActiveExitTimestampMonotonic=107331299353
InactiveEnterTimestamp=Sun 2024-03-24 19:58:59 UTC
InactiveEnterTimestampMonotonic=107331304222
CanStart=yes
CanStop=yes
CanReload=no
CanIsolate=no
CanFreeze=yes
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnSuccessJobMode=fail
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=no
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Sun 2024-03-24 19:58:59 UTC
ConditionTimestampMonotonic=107331304928
AssertTimestamp=Sun 2024-03-24 19:58:59 UTC
AssertTimestampMonotonic=107331304929
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
SuccessAction=none
InvocationID=43a7643ae7e64d56854f64931cbc8ed5
CollectMode=inactive

cat /etc/containerd/config.toml

#   Copyright 2018-2022 Docker Inc.

#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at

#       http://www.apache.org/licenses/LICENSE-2.0

#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

disabled_plugins = ["cri"]

#root = "/var/lib/containerd"
#state = "/run/containerd"
#subreaper = true
#oom_score = 0

#[grpc]
#  address = "/run/containerd/containerd.sock"
#  uid = 0
#  gid = 0

#[debug]
#  address = "/run/containerd/debug.sock"
#  uid = 0
#  gid = 0
#  level = "info"

---

Packages

Packages

No dpkg
Have rpm

rpm -qa|egrep "(cc-oci-runtime|cc-runtime|runv|kata-runtime|kata-ksm-throttler|kata-containers-image|linux-container|qemu-)"

ipxe-roms-qemu-20200823-9.git4bd064de.el9_0.noarch
qemu-common-8.2.2-1.el9.x86_64
qemu-system-x86-core-8.2.2-1.el9.x86_64
qemu-kvm-core-8.2.2-1.el9.x86_64
qemu-ui-opengl-8.2.2-1.el9.x86_64
qemu-device-display-virtio-gpu-8.2.2-1.el9.x86_64
qemu-device-display-virtio-vga-8.2.2-1.el9.x86_64
qemu-device-display-virtio-vga-gl-8.2.2-1.el9.x86_64
qemu-device-display-virtio-gpu-ccw-8.2.2-1.el9.x86_64
qemu-device-display-virtio-gpu-pci-8.2.2-1.el9.x86_64
qemu-ui-egl-headless-8.2.2-1.el9.x86_64
qemu-ui-gtk-8.2.2-1.el9.x86_64
qemu-ui-sdl-8.2.2-1.el9.x86_64
qemu-device-usb-redirect-8.2.2-1.el9.x86_64
qemu-block-rbd-8.2.2-1.el9.x86_64
qemu-block-iscsi-8.2.2-1.el9.x86_64
qemu-ui-curses-8.2.2-1.el9.x86_64
qemu-pr-helper-8.2.2-1.el9.x86_64
qemu-device-usb-host-8.2.2-1.el9.x86_64
qemu-char-baum-8.2.2-1.el9.x86_64
qemu-block-ssh-8.2.2-1.el9.x86_64
qemu-block-dmg-8.2.2-1.el9.x86_64
qemu-block-curl-8.2.2-1.el9.x86_64
qemu-audio-sdl-8.2.2-1.el9.x86_64
qemu-audio-pipewire-8.2.2-1.el9.x86_64
qemu-audio-pa-8.2.2-1.el9.x86_64
qemu-audio-oss-8.2.2-1.el9.x86_64
qemu-audio-dbus-8.2.2-1.el9.x86_64
qemu-audio-alsa-8.2.2-1.el9.x86_64
qemu-system-x86-8.2.2-1.el9.x86_64
qemu-kvm-8.2.2-1.el9.x86_64
qemu-user-static-x86-8.2.2-1.el9.x86_64

---

Kata Monitor

Kata Monitor kata-monitor.

kata-monitor --version

kata-monitor
 Version:	0.3.0
 Go version:	go1.21.7 (Red Hat 1.21.7-1.el9)
 Git commit:	f7fd8841a40720945640174b2c3b5fd0d261c73a
 OS/Arch:	linux/amd64

---

[markmartirosian]

Kata Containerd Shim v2 logs

Recent problems found in system journal:

time="2024-03-24T16:32:06.940485231Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=65466 sandbox=21b51955345cbd3c9ee9b8ead7291a34081b4d59aed0ca4a5884b064f8d28f3a sandboxid=21b51955345cbd3c9ee9b8ead7291a34081b4d59aed0ca4a5884b064f8d28f3a source=virtcontainers subsystem=sandbox
time="2024-03-24T16:32:16.977788652Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=65796 sandbox=bdbc4b6b05dbc87838bf60a36be4cdd2833272248f8aaa1cf439d52527614885 source=cgroups
time="2024-03-24T16:37:16.399505368Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=65796 sandbox=bdbc4b6b05dbc87838bf60a36be4cdd2833272248f8aaa1cf439d52527614885 sandboxid=bdbc4b6b05dbc87838bf60a36be4cdd2833272248f8aaa1cf439d52527614885 source=virtcontainers subsystem=sandbox
time="2024-03-24T16:37:38.631408487Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=66266 sandbox=cbf30df725d2f5ba467fb8f37fb3756b4356b492a820918f9c8284eb1743526b source=cgroups
time="2024-03-24T16:41:40.364379463Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=66266 sandbox=cbf30df725d2f5ba467fb8f37fb3756b4356b492a820918f9c8284eb1743526b sandboxid=cbf30df725d2f5ba467fb8f37fb3756b4356b492a820918f9c8284eb1743526b source=virtcontainers subsystem=sandbox
time="2024-03-24T16:42:41.881904389Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=67531 sandbox=5b42846c07c8fcc7538ba3a8f03bcbc090f2562023237117fd46dacc12564104 source=cgroups
time="2024-03-24T16:42:48.79539048Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=67531 sandbox=5b42846c07c8fcc7538ba3a8f03bcbc090f2562023237117fd46dacc12564104 sandboxid=5b42846c07c8fcc7538ba3a8f03bcbc090f2562023237117fd46dacc12564104 source=virtcontainers subsystem=sandbox
time="2024-03-24T16:43:18.338266849Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=67946 sandbox=ca04c56771cdfcb5b97a525e1e264e244709b6edb1e74f9317f9f171cfbcdfb0 source=cgroups
time="2024-03-24T16:43:24.56863588Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=67946 sandbox=ca04c56771cdfcb5b97a525e1e264e244709b6edb1e74f9317f9f171cfbcdfb0 sandboxid=ca04c56771cdfcb5b97a525e1e264e244709b6edb1e74f9317f9f171cfbcdfb0 source=virtcontainers subsystem=sandbox
time="2024-03-24T16:45:03.799120123Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=68466 sandbox=685b1e845fed7733c2ff25e2d0702ef21e38c9c9faccaebee197a7376734cc9c source=cgroups
time="2024-03-24T16:47:31.721072492Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=68466 sandbox=685b1e845fed7733c2ff25e2d0702ef21e38c9c9faccaebee197a7376734cc9c sandboxid=685b1e845fed7733c2ff25e2d0702ef21e38c9c9faccaebee197a7376734cc9c source=virtcontainers subsystem=sandbox
time="2024-03-24T16:47:33.264131652Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=68993 sandbox=cfdbff7a93473580471c66acf6a36d92d45d3f200b6ccbbe6129dd9f6d58856c source=cgroups
time="2024-03-24T16:47:38.511080421Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=68993 sandbox=cfdbff7a93473580471c66acf6a36d92d45d3f200b6ccbbe6129dd9f6d58856c sandboxid=cfdbff7a93473580471c66acf6a36d92d45d3f200b6ccbbe6129dd9f6d58856c source=virtcontainers subsystem=sandbox
time="2024-03-24T16:48:57.310507752Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=69401 sandbox=8a50173be47c8a5924460f4e4355364d263e801435ff73b39bf60870903ca7d0 source=cgroups
time="2024-03-24T16:52:07.414699447Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=69401 sandbox=8a50173be47c8a5924460f4e4355364d263e801435ff73b39bf60870903ca7d0 sandboxid=8a50173be47c8a5924460f4e4355364d263e801435ff73b39bf60870903ca7d0 source=virtcontainers subsystem=sandbox
time="2024-03-24T16:52:17.331747774Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=69711 sandbox=b4d0752ed9d8da88283c596f7bbe6b3a273e2605f54839a4a22082f1a907f869 source=cgroups
time="2024-03-24T16:53:08.624605279Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=69711 sandbox=b4d0752ed9d8da88283c596f7bbe6b3a273e2605f54839a4a22082f1a907f869 sandboxid=b4d0752ed9d8da88283c596f7bbe6b3a273e2605f54839a4a22082f1a907f869 source=virtcontainers subsystem=sandbox
time="2024-03-24T16:53:09.628172794Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=70079 sandbox=2cd148c82ad2b24a16371dbca3040cbe59ab7ac1edb8bf0c82f4809a7fc54465 source=cgroups
time="2024-03-24T16:53:16.053065945Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=70079 sandbox=2cd148c82ad2b24a16371dbca3040cbe59ab7ac1edb8bf0c82f4809a7fc54465 sandboxid=2cd148c82ad2b24a16371dbca3040cbe59ab7ac1edb8bf0c82f4809a7fc54465 source=virtcontainers subsystem=sandbox
time="2024-03-24T16:54:59.356924853Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=73988 sandbox=e52f2bee8ea9ffc34494005324960c8aa6481a975a533ee83c4d671d464ded03 source=cgroups
time="2024-03-24T16:55:03.723929693Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=73988 sandbox=e52f2bee8ea9ffc34494005324960c8aa6481a975a533ee83c4d671d464ded03 sandboxid=e52f2bee8ea9ffc34494005324960c8aa6481a975a533ee83c4d671d464ded03 source=virtcontainers subsystem=sandbox
time="2024-03-24T16:55:14.810078842Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=74270 sandbox=54c7e819b15070a29c55dc78f775688f57ce96528aa7363800fc70c42124e5b8 source=cgroups
time="2024-03-24T16:55:57.323974828Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=74270 sandbox=54c7e819b15070a29c55dc78f775688f57ce96528aa7363800fc70c42124e5b8 sandboxid=54c7e819b15070a29c55dc78f775688f57ce96528aa7363800fc70c42124e5b8 source=virtcontainers subsystem=sandbox
time="2024-03-24T16:56:15.90157028Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=74585 sandbox=abcb7c3fb68fbc59ead098dc9396fbc5e156ddfc37fa19532b6d21f4aca38e89 source=cgroups
time="2024-03-24T17:07:52.842017303Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=74585 sandbox=abcb7c3fb68fbc59ead098dc9396fbc5e156ddfc37fa19532b6d21f4aca38e89 sandboxid=abcb7c3fb68fbc59ead098dc9396fbc5e156ddfc37fa19532b6d21f4aca38e89 source=virtcontainers subsystem=sandbox
time="2024-03-24T17:08:12.95413095Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=75751 sandbox=32b9bf659cdaa03975e16eb101d3c19fe97474140bd3c007e63c42565f0cc48a source=cgroups
time="2024-03-24T17:08:17.508594753Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=75751 sandbox=32b9bf659cdaa03975e16eb101d3c19fe97474140bd3c007e63c42565f0cc48a sandboxid=32b9bf659cdaa03975e16eb101d3c19fe97474140bd3c007e63c42565f0cc48a source=virtcontainers subsystem=sandbox
time="2024-03-24T19:59:24.838641396Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=112197 sandbox=bb603dcf24c71aec7059afa291d468399a379a1db161132942dc16bc0c1077d2 source=cgroups
time="2024-03-24T19:59:29.817152275Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=112197 sandbox=bb603dcf24c71aec7059afa291d468399a379a1db161132942dc16bc0c1077d2 sandboxid=bb603dcf24c71aec7059afa291d468399a379a1db161132942dc16bc0c1077d2 source=virtcontainers subsystem=sandbox
time="2024-03-24T21:51:31.731139108Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=182205 sandbox=test source=cgroups
time="2024-03-24T22:01:53.162907739Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=184335 sandbox=fa65b2dd1e3458ef0f33c35eee37adc2f5b63b7551a6d559cc55db9edbeff5b1 source=cgroups
time="2024-03-24T22:02:01.135520626Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=184335 sandbox=fa65b2dd1e3458ef0f33c35eee37adc2f5b63b7551a6d559cc55db9edbeff5b1 sandboxid=fa65b2dd1e3458ef0f33c35eee37adc2f5b63b7551a6d559cc55db9edbeff5b1 source=virtcontainers subsystem=sandbox
time="2024-03-24T22:15:54.911918799Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=188133 sandbox=08f5848a8c512b901ad21e9240fb8dd623467628714832d19b36173978cf731e source=cgroups
time="2024-03-24T22:16:00.525727447Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=188133 sandbox=08f5848a8c512b901ad21e9240fb8dd623467628714832d19b36173978cf731e sandboxid=08f5848a8c512b901ad21e9240fb8dd623467628714832d19b36173978cf731e source=virtcontainers subsystem=sandbox
time="2024-03-24T22:17:54.033649765Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=188430 sandbox=8bc5f33f7dd7ea0377b61124bbc0f5fce3fbeba005e325e49c8a408fcd71ac74 source=cgroups
time="2024-03-24T22:18:31.183539248Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=188430 sandbox=8bc5f33f7dd7ea0377b61124bbc0f5fce3fbeba005e325e49c8a408fcd71ac74 sandboxid=8bc5f33f7dd7ea0377b61124bbc0f5fce3fbeba005e325e49c8a408fcd71ac74 source=virtcontainers subsystem=sandbox
time="2024-03-24T22:18:42.322220402Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=188717 sandbox=559c2a20614a0728ddbe22e3f1c1f205088c02dacee31bdb10dd520238c0147f source=cgroups
time="2024-03-24T22:21:01.111224236Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=188717 sandbox=559c2a20614a0728ddbe22e3f1c1f205088c02dacee31bdb10dd520238c0147f sandboxid=559c2a20614a0728ddbe22e3f1c1f205088c02dacee31bdb10dd520238c0147f source=virtcontainers subsystem=sandbox
time="2024-03-24T22:23:25.943071016Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=190438 sandbox=441a11eec5a5ef5699635de7fda4bb3f3669e520ff4695f1ccba46f77cdbb54f source=cgroups
time="2024-03-24T22:25:36.056401648Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=190438 sandbox=441a11eec5a5ef5699635de7fda4bb3f3669e520ff4695f1ccba46f77cdbb54f sandboxid=441a11eec5a5ef5699635de7fda4bb3f3669e520ff4695f1ccba46f77cdbb54f source=virtcontainers subsystem=sandbox
time="2024-03-24T22:28:24.641991378Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=190846 sandbox=ip source=cgroups
time="2024-03-24T22:28:49.141402865Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=190991 sandbox=ip source=cgroups
time="2024-03-24T22:28:54.874112428Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=191062 sandbox=test source=cgroups
time="2024-03-24T22:28:59.281991612Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=191138 sandbox=test source=cgroups
time="2024-03-24T22:31:41.466510064Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=191426 sandbox=test source=cgroups
time="2024-03-24T22:32:15.52239134Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=191952 sandbox=test source=cgroups
time="2024-03-24T22:37:39.208164491Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=192418 sandbox=9c33f9800a468aae70dec345d4d72a383451ef38a29d0a85721349ba7392fd82 source=cgroups
time="2024-03-24T22:37:48.982352221Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=192418 sandbox=9c33f9800a468aae70dec345d4d72a383451ef38a29d0a85721349ba7392fd82 sandboxid=9c33f9800a468aae70dec345d4d72a383451ef38a29d0a85721349ba7392fd82 source=virtcontainers subsystem=sandbox
time="2024-03-24T22:38:15.775428807Z" level=warning msg="Could not add /dev/mshv to the devices cgroup" name=containerd-shim-v2 pid=193258 sandbox=77d342510238cca3b0619f5336e7d35b456e2eee1038a33722d78cae660c588e source=cgroups
time="2024-03-24T22:38:20.558392039Z" level=warning msg="Agent did not stop sandbox" error="rpc error: code = Internal desc = No such file or directory (os error 2)" name=containerd-shim-v2 pid=193258 sandbox=77d342510238cca3b0619f5336e7d35b456e2eee1038a33722d78cae660c588e sandboxid=77d342510238cca3b0619f5336e7d35b456e2eee1038a33722d78cae660c588e source=virtcontainers subsystem=sandbox

[robmry]

Hi all - the problem was a change in Docker Engine 26.0.0 to set up interfaces in the container's network namespace after task creation, rather than using the OCI prestart hook to created them during the process.

In 26.0.1, we've partially reverted that change, mostly because it meant per-interface sysctl settings could not be applied by the runtime library.

But, as a heads-up ...

In the next major release we plan to drop use of the deprecated prestart hook again - and offer a new way to set per-interface sysctls.

That means setup of initial network connections for newly created containers will be much more like connecting networks to existing containers ("docker network connect") ... the interfaces won't exist in the container's namespace during container task creation, they'll be added before the task is started.