Kata Pods with more than 5-6 containers fail to fully start under CRI-O when using runtime_type=vm

[evanfoster]

Description of problem

When deploying a pod with a large number of containers (example repro case here), several containers will fail to come up (in k8s, the state is CreateContainerError). This only happens when runtime_type is set to vm (which we need to improve virtio-fs performance). When these containers fail, we see the following message in CRI-O's logs:

Jun 25 02:27:38 vmss-agent-kata0-13stageva7-tpsce000001 kata[251958]: time="2020-06-25T02:27:38.30609749Z" level=error msg="Unable to hotplug memory device: QMP command failed: a used vhost backend has no free memory slots left" ID=87824eaf4c42fe4b4893b37c818de70e0e1a06bee6f6814c421d1cb609ac2afc source=virtcontainers subsystem=qmp

Here's a non-exhaustive list of the options I've played with to try to address this:

• Increased hypervisor.qemu.memory_slots from 50 to 100
• Increased hypervisor.qemu.default_memory
• Used virtio-9p instead of virtio-fs
• Changed CRI-O's storage system from devicemapper to vfs
• Set hypervisor.qemu.enable_mem_prealloc to true
• Loaded the vhost kernel module with max_mem_regions=512

Unfortunately, none of this had any effect. The only way I can get all containers in a large pod to run is to set runtime_type to oci in CRI-O.

Show kata-collect-data.sh details

Meta details

Running kata-collect-data.sh version 1.10.0-adobe (commit 2d2b8878c511d6f5ba65a6152c577608ee27e45d-dirty) at 2020-06-25.17:00:58.766166856+0000.

---

Runtime is /opt/kata/bin/kata-runtime.

kata-env

Output of "/opt/kata/bin/kata-runtime kata-env":

[Meta]
  Version = "1.0.23"

[Runtime]
  Debug = true
  Trace = false
  DisableGuestSeccomp = true
  DisableNewNetNs = false
  SandboxCgroupOnly = false
  Path = "/opt/kata/bin/kata-runtime"
  [Runtime.Version]
    Semver = "1.10.0-adobe"
    Commit = "2d2b8878c511d6f5ba65a6152c577608ee27e45d-dirty"
    OCI = "1.0.1-dev"
  [Runtime.Config]
    Path = "/opt/kata/share/defaults/kata-containers/configuration-qemu-virtiofs.toml"

[Hypervisor]
  MachineType = "pc"
  Version = "QEMU emulator version 4.1.0 (kata-static)\nCopyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers"
  Path = "/opt/kata/bin/qemu-virtiofs-system-x86_64"
  BlockDeviceDriver = "virtio-scsi"
  EntropySource = "/dev/urandom"
  Msize9p = 8192
  MemorySlots = 50
  Debug = true
  UseVSock = true
  SharedFS = "virtio-fs"

[Image]
  Path = "/opt/kata/share/kata-containers/kata-containers-image_clearlinux_1.10.0_agent_a8007c2969.img"

[Kernel]
  Path = "/opt/kata/share/kata-containers/vmlinuz-virtio-fs-v0.3-60"
  Parameters = "systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket agent.log=debug"

[Initrd]
  Path = ""

[Proxy]
  Type = "noProxy"
  Version = ""
  Path = ""
  Debug = false

[Shim]
  Type = "kataShim"
  Version = "kata-shim version 1.10.0-6db555216f68a14b68ce64713083c5f5b4684aea"
  Path = "/opt/kata/libexec/kata-containers/kata-shim"
  Debug = true

[Agent]
  Type = "kata"
  Debug = true
  Trace = false
  TraceMode = ""
  TraceType = ""

[Host]
  Kernel = "4.19.128-flatcar"
  Architecture = "amd64"
  VMContainerCapable = true
  SupportVSocks = true
  [Host.Distro]
    Name = "Flatcar Container Linux by Kinvolk"
    Version = "2512.2.1"
  [Host.CPU]
    Vendor = "GenuineIntel"
    Model = "Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz"

[Netmon]
  Version = "kata-netmon version 1.10.0-adobe"
  Path = "/opt/kata/libexec/kata-containers/kata-netmon"
  Debug = true
  Enable = false

---

Runtime config files

Runtime default config files

/etc/kata-containers/configuration.toml
/opt/kata/share/defaults/kata-containers/configuration.toml

Runtime config file contents

Output of "cat "/etc/kata-containers/configuration.toml"":

# Copyright (c) 2017-2019 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#

# XXX: WARNING: this file is auto-generated.
# XXX:
# XXX: Source file: "cli/config/configuration-qemu-virtiofs.toml.in"
# XXX: Project:
# XXX:   Name: Kata Containers
# XXX:   Type: kata

[hypervisor.qemu]
path = "/opt/kata/bin/qemu-virtiofs-system-x86_64"
kernel = "/opt/kata/share/kata-containers/vmlinuz-virtiofs.container"
image = "/opt/kata/share/kata-containers/kata-containers.img"
machine_type = "pc"

# Optional space-separated list of options to pass to the guest kernel.
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
# trouble running pre-2.15 glibc.
#
# WARNING: - any parameter specified here will take priority over the default
# parameter value of the same name used to start the virtual machine.
# Do not set values here unless you understand the impact of doing so as you
# may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries.
kernel_params = ""

# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty
firmware = ""

# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
machine_accelerators=""

# Default number of vCPUs per SB/VM:
# unspecified or 0                --> will be set to 1
# < 0                             --> will be set to the actual number of physical cores
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores      --> will be set to the actual number of physical cores
default_vcpus = 1

# Default maximum number of vCPUs per SB/VM:
# unspecified or == 0             --> will be set to the actual number of physical cores or to the maximum number
#                                     of vCPUs supported by KVM if that number is exceeded
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores      --> will be set to the actual number of physical cores or to the maximum number
#                                     of vCPUs supported by KVM if that number is exceeded
# WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when
# the actual number of physical cores is greater than it.
# WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU
# the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs
# can be added to a SB/VM, but the memory footprint will be big. Another example, with
# `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of
# vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable,
# unless you know what are you doing.
default_maxvcpus = 0

# Bridges can be used to hot plug devices.
# Limitations:
# * Currently only pci bridges are supported
# * Until 30 devices per bridge can be hot plugged.
# * Until 5 PCI bridges can be cold plugged per VM.
#   This limitation could be a bug in qemu or in the kernel
# Default number of bridges per SB/VM:
# unspecified or 0   --> will be set to 1
# > 1 <= 5           --> will be set to the specified number
# > 5                --> will be set to 5
default_bridges = 1

# Default memory size in MiB for SB/VM.
# If unspecified then it will be set 2048 MiB.
default_memory = 2048
#
# Default memory slots per SB/VM.
# If unspecified then it will be set 10.
# This is will determine the times that memory will be hotadded to sandbox/VM.
memory_slots = 50

# The size in MiB will be plused to max memory of hypervisor.
# It is the memory address space for the NVDIMM devie.
# If set block storage driver (block_device_driver) to "nvdimm",
# should set memory_offset to the size of block device.
# Default 0
#memory_offset = 0

# Disable block device from being used for a container's rootfs.
# In case of a storage driver like devicemapper where a container's
# root file system is backed by a block device, the block device is passed
# directly to the hypervisor for performance reasons.
# This flag prevents the block device from being passed to the hypervisor,
# 9pfs is used instead to pass the rootfs.
disable_block_device_use = false

# Shared file system type:
#   - virtio-fs (default)
#   - virtio-9p
shared_fs = "virtio-fs"

# Path to vhost-user-fs daemon.
virtio_fs_daemon = "/opt/kata/bin/virtiofsd"

# Default size of DAX cache in MiB
virtio_fs_cache_size = 0

# Extra args for virtiofsd daemon
#
# Format example:
#   ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"]
#
# see `virtiofsd -h` for possible options.
virtio_fs_extra_args = []

# Cache mode:
#
#  - none
#    Metadata, data, and pathname lookup are not cached in guest. They are
#    always fetched from host and any changes are immediately pushed to host.
#
#  - auto
#    Metadata and pathname lookup cache expires after a configured amount of
#    time (default is 1 second). Data is cached while the file is open (close
#    to open consistency).
#
#  - always
#    Metadata, data, and pathname lookup are cached in guest and never expire.
virtio_fs_cache = "always"

# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device. This is virtio-scsi, virtio-blk
# or nvdimm.
block_device_driver = "virtio-scsi"

# Specifies cache-related options will be set to block devices or not.
# Default false
#block_device_cache_set = true

# Specifies cache-related options for block devices.
# Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
# Default false
#block_device_cache_direct = true

# Specifies cache-related options for block devices.
# Denotes whether flush requests for the device are ignored.
# Default false
#block_device_cache_noflush = true

# Enable iothreads (data-plane) to be used. This causes IO to be
# handled in a separate IO thread. This is currently only implemented
# for SCSI.
#
enable_iothreads = false

# Enable pre allocation of VM RAM, default false
# Enabling this will result in lower container density
# as all of the memory will be allocated and locked
# This is useful when you want to reserve all the memory
# upfront or in the cases where you want memory latencies
# to be very predictable
# Default false
#enable_mem_prealloc = true

# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.
# This is useful when you want to use vhost-user network
# stacks within the container. This will automatically
# result in memory pre allocation
#enable_hugepages = true

# Enable file based guest memory support. The default is an empty string which
# will disable this feature. In the case of virtio-fs, this is enabled
# automatically and '/dev/shm' is used as the backing folder.
# This option will be ignored if VM templating is enabled.
#file_mem_backend = ""

# Enable swap of vm memory. Default false.
# The behaviour is undefined if mem_prealloc is also set to true
#enable_swap = true

# This option changes the default hypervisor and kernel parameters
# to enable debug output where available. This extra output is added
# to the proxy logs, but only when proxy debug is also enabled.
#
# Default false
enable_debug = true

# Disable the customizations done in the runtime when it detects
# that it is running on top a VMM. This will result in the runtime
# behaving as it would when running on bare metal.
#
#disable_nesting_checks = true

# This is the msize used for 9p shares. It is the number of bytes
# used for 9p packet payload.
#msize_9p = 8192

# If true and vsocks are supported, use vsocks to communicate directly
# with the agent and no proxy is started, otherwise use unix
# sockets and start a proxy to communicate with the agent.
# Default false
use_vsock = true

# VFIO devices are hotplugged on a bridge by default.
# Enable hotplugging on root bus. This may be required for devices with
# a large PCI bar, as this is a current limitation with hotplugging on
# a bridge. This value is valid for "pc" machine type.
# Default false
#hotplug_vfio_on_root_bus = true

# If vhost-net backend for virtio-net is not desired, set to true. Default is false, which trades off
# security (vhost-net runs ring0) for network I/O performance. 
#disable_vhost_net = true

#
# Default entropy source.
# The path to a host source of entropy (including a real hardware RNG)
# /dev/urandom and /dev/random are two main options.
# Be aware that /dev/random is a blocking source of entropy.  If the host
# runs out of entropy, the VMs boot time will increase leading to get startup
# timeouts.
# The source of entropy /dev/urandom is non-blocking and provides a
# generally acceptable source of entropy. It should work well for pretty much
# all practical purposes.
#entropy_source= "/dev/urandom"

# Path to OCI hook binaries in the *guest rootfs*.
# This does not affect host-side hooks which must instead be added to
# the OCI spec passed to the runtime.
#
# You can create a rootfs with hooks by customizing the osbuilder scripts:
# https://github.com/kata-containers/osbuilder
#
# Hooks must be stored in a subdirectory of guest_hook_path according to their
# hook type, i.e. "guest_hook_path/{prestart,postart,poststop}".
# The agent will scan these directories for executable files and add them, in
# lexicographical order, to the lifecycle of the guest container.
# Hooks are executed in the runtime namespace of the guest. See the official documentation:
# https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
# Warnings will be logged if any error is encountered will scanning for hooks,
# but it will not abort container execution.
#guest_hook_path = "/usr/share/oci/hooks"

[factory]
# VM templating support. Once enabled, new VMs are created from template
# using vm cloning. They will share the same initial kernel, initramfs and
# agent memory by mapping it readonly. It helps speeding up new container
# creation and saves a lot of memory if there are many kata containers running
# on the same host.
#
# When disabled, new VMs are created from scratch.
#
# Note: Requires "initrd=" to be set ("image=" is not supported).
#
# Default false
#enable_template = true

# Specifies the path of template.
#
# Default "/run/vc/vm/template"
#template_path = "/run/vc/vm/template"

# The number of caches of VMCache:
# unspecified or == 0   --> VMCache is disabled
# > 0                   --> will be set to the specified number
#
# VMCache is a function that creates VMs as caches before using it.
# It helps speed up new container creation.
# The function consists of a server and some clients communicating
# through Unix socket.  The protocol is gRPC in protocols/cache/cache.proto.
# The VMCache server will create some VMs and cache them by factory cache.
# It will convert the VM to gRPC format and transport it when gets
# requestion from clients.
# Factory grpccache is the VMCache client.  It will request gRPC format
# VM and convert it back to a VM.  If VMCache function is enabled,
# kata-runtime will request VM from factory grpccache when it creates
# a new sandbox.
#
# Default 0
#vm_cache_number = 0

# Specify the address of the Unix socket that is used by VMCache.
#
# Default /var/run/kata-containers/cache.sock
#vm_cache_endpoint = "/var/run/kata-containers/cache.sock"

[proxy.kata]
path = "/opt/kata/libexec/kata-containers/kata-proxy"

# If enabled, proxy messages will be sent to the system log
# (default: disabled)
enable_debug = true

[shim.kata]
path = "/opt/kata/libexec/kata-containers/kata-shim"

# If enabled, shim messages will be sent to the system log
# (default: disabled)
enable_debug = true

# If enabled, the shim will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
#
# Note: By default, the shim runs in a separate network namespace. Therefore,
# to allow it to send trace details to the Jaeger agent running on the host,
# it is necessary to set 'disable_new_netns=true' so that it runs in the host
# network namespace.
#
# (default: disabled)
#enable_tracing = true

[agent.kata]
# If enabled, make the agent display debug-level messages.
# (default: disabled)
enable_debug = true

# Enable agent tracing.
#
# If enabled, the default trace mode is "dynamic" and the
# default trace type is "isolated". The trace mode and type are set
# explicity with the `trace_type=` and `trace_mode=` options.
#
# Notes:
#
# - Tracing is ONLY enabled when `enable_tracing` is set: explicitly
#   setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing`
#   will NOT activate agent tracing.
#
# - See https://github.com/kata-containers/agent/blob/master/TRACING.md for
#   full details.
#
# (default: disabled)
#enable_tracing = true
#
#trace_mode = "dynamic"
#trace_type = "isolated"

# Comma separated list of kernel modules and their parameters.
# These modules will be loaded in the guest kernel using modprobe(8).
# The following example can be used to load two kernel modules with parameters
#  - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"]
# The first word is considered as the module name and the rest as its parameters.
# Container will not be started when:
#  * A kernel module is specified and the modprobe command is not installed in the guest
#    or it fails loading the module.
#  * The module is not available in the guest or it doesn't met the guest kernel
#    requirements, like architecture and version.
#
kernel_modules=[]


[netmon]
# If enabled, the network monitoring process gets started when the
# sandbox is created. This allows for the detection of some additional
# network being added to the existing network namespace, after the
# sandbox has been created.
# (default: disabled)
#enable_netmon = true

# Specify the path to the netmon binary.
path = "/opt/kata/libexec/kata-containers/kata-netmon"

# If enabled, netmon messages will be sent to the system log
# (default: disabled)
enable_debug = true

[runtime]
# If enabled, the runtime will log additional debug messages to the
# system log
# (default: disabled)
enable_debug = true
#
# Internetworking model
# Determines how the VM should be connected to the
# the container network interface
# Options:
#
#   - bridged (Deprecated)
#     Uses a linux bridge to interconnect the container interface to
#     the VM. Works for most cases except macvlan and ipvlan.
#     ***NOTE: This feature has been deprecated with plans to remove this
#     feature in the future. Please use other network models listed below.
#
#   - macvtap
#     Used when the Container network interface can be bridged using
#     macvtap.
#
#   - none
#     Used when customize network. Only creates a tap device. No veth pair.
#
#   - tcfilter
#     Uses tc filter rules to redirect traffic from the network interface
#     provided by plugin to a tap interface connected to the VM.
#
internetworking_model="tcfilter"

# disable guest seccomp
# Determines whether container seccomp profiles are passed to the virtual
# machine and applied by the kata agent. If set to true, seccomp is not applied
# within the guest
# (default: true)
disable_guest_seccomp=true

# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)
#enable_tracing = true

# If enabled, the runtime will not create a network namespace for shim and hypervisor processes.
# This option may have some potential impacts to your host. It should only be used when you know what you're doing.
# `disable_new_netns` conflicts with `enable_netmon`
# `disable_new_netns` conflicts with `internetworking_model=bridged` and `internetworking_model=macvtap`. It works only
# with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
# (like OVS) directly.
# If you are using docker, `disable_new_netns` only works with `docker run --net=none`
# (default: false)
#disable_new_netns = true

# if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
# The container cgroups in the host are not created, just one single cgroup per sandbox.
# The sandbox cgroup is not constrained by the runtime
# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
# See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
sandbox_cgroup_only=false

# If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will
# be created on the host and shared via 9p. This is far slower, but allows sharing of files from host to guest.
disable_guest_empty_dir = false

# Enabled experimental feature list, format: ["a", "b"].
# Experimental features are features not stable enough for production,
# They may break compatibility, and are prepared for a big version bump.
# Supported experimental features:
# 1. "newstore": new persist storage driver which breaks backward compatibility,
#                               expected to move out of experimental in 2.0.0.
# (default: [])
experimental=[]

Output of "cat "/opt/kata/share/defaults/kata-containers/configuration.toml"":
Removed, since it's not being used.

---

KSM throttler

version

Output of " --version":

/opt/kata/bin/kata-collect-data.sh: line 178: --version: command not found

systemd service

Image details

---
osbuilder:
  url: "https://github.com/kata-containers/osbuilder"
  version: "unknown"
rootfs-creation-time: "2020-01-16T01:56:37.905020975+0000Z"
description: "osbuilder rootfs"
file-format-version: "0.0.2"
architecture: "x86_64"
base-distro:
  name: "Clear"
  version: "32100"
  packages:
    default:
      - "chrony"
      - "iptables-bin"
      - "kmod-bin"
      - "libudev0-shim"
      - "systemd"
      - "util-linux-bin"
    extra:

agent:
  url: "https://github.com/kata-containers/agent"
  name: "kata-agent"
  version: "1.10.0-a8007c2969e839b584627d1a7db4cac13af908a6"
  agent-is-init-daemon: "no"

---

Initrd details

No initrd

---

Logfiles

Runtime logs

Recent runtime problems found in system journal:

time="2020-06-25T15:55:13.856317428Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=6fcc00870b69331e17e744a1e4a80bda9db717d421007d13988eecb51ba06056 error="open /run/vc/sbs/6fcc00870b69331e17e744a1e4a80bda9db717d421007d13988eecb51ba06056/devices.json: no such file or directory" name=kata-runtime pid=78177 sandbox=6fcc00870b69331e17e744a1e4a80bda9db717d421007d13988eecb51ba06056 sandboxid=6fcc00870b69331e17e744a1e4a80bda9db717d421007d13988eecb51ba06056 source=virtcontainers subsystem=sandbox
time="2020-06-25T15:55:15.556593964Z" level=info msg="sanner return error: read unix @->/run/vc/vm/6fcc00870b69331e17e744a1e4a80bda9db717d421007d13988eecb51ba06056/qmp.sock: use of closed network connection" arch=amd64 command=create container=6fcc00870b69331e17e744a1e4a80bda9db717d421007d13988eecb51ba06056 name=kata-runtime pid=78177 source=virtcontainers subsystem=qmp
time="2020-06-25T15:55:59.170050789Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee/73187918e3bc8832420dc62a21f280e6c873af1b5ba93a027e2e340564abff48/rootfs"
time="2020-06-25T15:55:59.175584326Z" level=info msg="sanner return error: read unix @->/run/vc/vm/3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee/qmp.sock: use of closed network connection" arch=amd64 command=kill container=73187918e3bc8832420dc62a21f280e6c873af1b5ba93a027e2e340564abff48 name=kata-runtime pid=83262 sandbox=3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee source=virtcontainers subsystem=qmp
time="2020-06-25T15:55:59.178942149Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/f10d1202505cd1af6a0df19c68a5918bbf5ea8a1d940bfc920ab6a64494cda93/rootfs"
time="2020-06-25T15:55:59.185379694Z" level=info msg="sanner return error: read unix @->/run/vc/vm/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/qmp.sock: use of closed network connection" arch=amd64 command=kill container=f10d1202505cd1af6a0df19c68a5918bbf5ea8a1d940bfc920ab6a64494cda93 name=kata-runtime pid=83404 sandbox=c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2 source=virtcontainers subsystem=qmp
time="2020-06-25T15:55:59.205703133Z" level=warning msg="Failed to get container, force will not fail: Container ID (6fcc00870b69331e17e744a1e4a80bda9db717d421007d13988eecb51ba06056) does not exist" arch=amd64 command=delete container=6fcc00870b69331e17e744a1e4a80bda9db717d421007d13988eecb51ba06056 name=kata-runtime pid=83760 source=runtime
time="2020-06-25T15:55:59.387015976Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/702d4493567f08cec6f085d7cd114b108bcbfca32c1784ce7eb99234d6a3bb3c/cdac5873f2e2bca254ee030b3acbdd6bd5580821d8f1d30c024f2409db835b3d/rootfs"
time="2020-06-25T15:55:59.455207643Z" level=info msg="sanner return error: read unix @->/run/vc/vm/702d4493567f08cec6f085d7cd114b108bcbfca32c1784ce7eb99234d6a3bb3c/qmp.sock: use of closed network connection" arch=amd64 command=kill container=cdac5873f2e2bca254ee030b3acbdd6bd5580821d8f1d30c024f2409db835b3d name=kata-runtime pid=83472 sandbox=702d4493567f08cec6f085d7cd114b108bcbfca32c1784ce7eb99234d6a3bb3c source=virtcontainers subsystem=qmp
time="2020-06-25T15:55:59.856091891Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/9b818e4edf76839fb01a5cb7f3cbde3c0e6020589a731d79cc0b570da6109310/rootfs"
time="2020-06-25T15:55:59.863606043Z" level=info msg="sanner return error: read unix @->/run/vc/vm/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/qmp.sock: use of closed network connection" arch=amd64 command=kill container=9b818e4edf76839fb01a5cb7f3cbde3c0e6020589a731d79cc0b570da6109310 name=kata-runtime pid=83281 sandbox=71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc source=virtcontainers subsystem=qmp
time="2020-06-25T15:55:59.921971443Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5/4ec41b32fcf2695431feefde279085dd138561f9a5751d147372487bf3c190f3/rootfs"
time="2020-06-25T15:55:59.928905591Z" level=info msg="sanner return error: read unix @->/run/vc/vm/903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5/qmp.sock: use of closed network connection" arch=amd64 command=kill container=4ec41b32fcf2695431feefde279085dd138561f9a5751d147372487bf3c190f3 name=kata-runtime pid=83379 sandbox=903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5 source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:00.212951537Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/ec6acea83d98702f807dcd8528ed1d4fd1f333caa80e6707e821908b509e62a5/rootfs"
time="2020-06-25T15:56:00.218499275Z" level=info msg="sanner return error: read unix @->/run/vc/vm/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/qmp.sock: use of closed network connection" arch=amd64 command=kill container=ec6acea83d98702f807dcd8528ed1d4fd1f333caa80e6707e821908b509e62a5 name=kata-runtime pid=83443 sandbox=c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2 source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:01.031946148Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee/f9872c0234bebc5d69ab207e97915a5f8af444084b20c35cd53adc68e1d018c1/rootfs"
time="2020-06-25T15:56:01.045962344Z" level=info msg="sanner return error: read unix @->/run/vc/vm/3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee/qmp.sock: use of closed network connection" arch=amd64 command=kill container=f9872c0234bebc5d69ab207e97915a5f8af444084b20c35cd53adc68e1d018c1 name=kata-runtime pid=83258 sandbox=3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:01.107822468Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/d81804f98e961a45e0e3c3473256729cfc22599469b2b5ec1cdadaf8ab732c71/rootfs"
time="2020-06-25T15:56:01.114576814Z" level=info msg="sanner return error: read unix @->/run/vc/vm/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/qmp.sock: use of closed network connection" arch=amd64 command=kill container=d81804f98e961a45e0e3c3473256729cfc22599469b2b5ec1cdadaf8ab732c71 name=kata-runtime pid=83321 sandbox=71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:01.134986354Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5/6cc00062a37a0bdbc2c6d93f71a6e7b80bf66549a90d6b1429ba3db4579fa3c7/rootfs"
time="2020-06-25T15:56:01.1416132Z" level=info msg="sanner return error: read unix @->/run/vc/vm/903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5/qmp.sock: use of closed network connection" arch=amd64 command=kill container=6cc00062a37a0bdbc2c6d93f71a6e7b80bf66549a90d6b1429ba3db4579fa3c7 name=kata-runtime pid=83359 sandbox=903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5 source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:01.246946321Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/bceba7a3ac907f9b855f43efc537d72dbf15d5c2a98bf5784f839c43c29f5765/rootfs"
time="2020-06-25T15:56:01.253488866Z" level=info msg="sanner return error: read unix @->/run/vc/vm/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/qmp.sock: use of closed network connection" arch=amd64 command=kill container=bceba7a3ac907f9b855f43efc537d72dbf15d5c2a98bf5784f839c43c29f5765 name=kata-runtime pid=83435 sandbox=c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2 source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:01.429929774Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee/2c0f2b932786a842f230dd6f3df394b65c0c297ade5ca5c334be1958dba94638/rootfs"
time="2020-06-25T15:56:01.438726534Z" level=info msg="sanner return error: read unix @->/run/vc/vm/3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee/qmp.sock: use of closed network connection" arch=amd64 command=kill container=2c0f2b932786a842f230dd6f3df394b65c0c297ade5ca5c334be1958dba94638 name=kata-runtime pid=83261 sandbox=3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:01.824938579Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/87dccadd27c21cb15a26687a99df44ff8fec4c91d655019b5283dc768071c423/rootfs"
time="2020-06-25T15:56:01.834180043Z" level=info msg="sanner return error: read unix @->/run/vc/vm/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/qmp.sock: use of closed network connection" arch=amd64 command=kill container=87dccadd27c21cb15a26687a99df44ff8fec4c91d655019b5283dc768071c423 name=kata-runtime pid=83305 sandbox=71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:01.934968833Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5/7f0636ab6a86956b8870aca85ee01c8fc245f0146919fc311dc3629628683446/rootfs"
time="2020-06-25T15:56:01.94189698Z" level=info msg="sanner return error: read unix @->/run/vc/vm/903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5/qmp.sock: use of closed network connection" arch=amd64 command=kill container=7f0636ab6a86956b8870aca85ee01c8fc245f0146919fc311dc3629628683446 name=kata-runtime pid=83399 sandbox=903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5 source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:02.071970971Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/8a906f4eea4c73523d782a6e95dacd4865c912c76912386ef5c3b500dd261b2b/rootfs"
time="2020-06-25T15:56:02.077501409Z" level=info msg="sanner return error: read unix @->/run/vc/vm/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/qmp.sock: use of closed network connection" arch=amd64 command=kill container=8a906f4eea4c73523d782a6e95dacd4865c912c76912386ef5c3b500dd261b2b name=kata-runtime pid=83306 sandbox=71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:02.454950092Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/3600a64f5323209cba4ab584c23859bbe14dcce88afe9dd8ebdbb7e8f5fc1be9/rootfs"
time="2020-06-25T15:56:02.46185784Z" level=info msg="sanner return error: read unix @->/run/vc/vm/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/qmp.sock: use of closed network connection" arch=amd64 command=kill container=3600a64f5323209cba4ab584c23859bbe14dcce88afe9dd8ebdbb7e8f5fc1be9 name=kata-runtime pid=83357 sandbox=71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:02.8358909Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/7e42f1b1f0b2760236e8a25ee67e82df757181f8376eb67d1951e1780590d616/rootfs"
time="2020-06-25T15:56:02.84315525Z" level=info msg="sanner return error: read unix @->/run/vc/vm/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/qmp.sock: use of closed network connection" arch=amd64 command=kill container=7e42f1b1f0b2760236e8a25ee67e82df757181f8376eb67d1951e1780590d616 name=kata-runtime pid=83328 sandbox=71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:06.613979633Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/5f4a24fdae8d66c1d1cc85957385051fd216273f6f27dc1fd2d631a15ddd8e7e/rootfs"
time="2020-06-25T15:56:06.620193176Z" level=info msg="sanner return error: read unix @->/run/vc/vm/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/qmp.sock: use of closed network connection" arch=amd64 command=kill container=5f4a24fdae8d66c1d1cc85957385051fd216273f6f27dc1fd2d631a15ddd8e7e name=kata-runtime pid=85005 sandbox=c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2 source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:07.40558214Z" level=warning msg="Failed to get container, force will not fail: Container ID (a4a1f9e32a4bd5341d3f6a10c30f21071b2d0f9b44181f3f10685be712e05afd) does not exist" arch=amd64 command=delete container=a4a1f9e32a4bd5341d3f6a10c30f21071b2d0f9b44181f3f10685be712e05afd name=kata-runtime pid=85207 source=runtime
time="2020-06-25T15:56:07.465949752Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5/681553197e67c51a4802d93bdf2791aaa396e73447697b34bb76fe3fd3fbd9e3/rootfs"
time="2020-06-25T15:56:07.471738492Z" level=info msg="sanner return error: read unix @->/run/vc/vm/903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5/qmp.sock: use of closed network connection" arch=amd64 command=kill container=681553197e67c51a4802d93bdf2791aaa396e73447697b34bb76fe3fd3fbd9e3 name=kata-runtime pid=85049 sandbox=903903f3c788040cd78b2cf48bb47a0a69882b5ca039bb175aaa514baf6f0af5 source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:08.204951498Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee/02e7326b547368bf4f7c4001e32521e3a54a6db04a05921d931b8d0040df6995/rootfs"
time="2020-06-25T15:56:08.211028539Z" level=info msg="sanner return error: read unix @->/run/vc/vm/3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee/qmp.sock: use of closed network connection" arch=amd64 command=kill container=02e7326b547368bf4f7c4001e32521e3a54a6db04a05921d931b8d0040df6995 name=kata-runtime pid=85282 sandbox=3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:09.14743033Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/ad200b8614d1855b8cce62137534f8775ceaa68cecdac3201bf6c2463a5d6f39/rootfs"
time="2020-06-25T15:56:09.156598393Z" level=info msg="sanner return error: read unix @->/run/vc/vm/71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc/qmp.sock: use of closed network connection" arch=amd64 command=kill container=ad200b8614d1855b8cce62137534f8775ceaa68cecdac3201bf6c2463a5d6f39 name=kata-runtime pid=85318 sandbox=71df85a73b51541de91756f011363c9a34995659dabb8bd7011250d3c222f0fc source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:39.411944702Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/702d4493567f08cec6f085d7cd114b108bcbfca32c1784ce7eb99234d6a3bb3c/702d4493567f08cec6f085d7cd114b108bcbfca32c1784ce7eb99234d6a3bb3c/rootfs"
time="2020-06-25T15:56:39.617920188Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee/3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee/rootfs"
time="2020-06-25T15:56:39.658838163Z" level=info msg="sanner return error: read unix @->/run/vc/vm/702d4493567f08cec6f085d7cd114b108bcbfca32c1784ce7eb99234d6a3bb3c/qmp.sock: use of closed network connection" arch=amd64 command=kill container=702d4493567f08cec6f085d7cd114b108bcbfca32c1784ce7eb99234d6a3bb3c name=kata-runtime pid=88639 sandbox=702d4493567f08cec6f085d7cd114b108bcbfca32c1784ce7eb99234d6a3bb3c source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:39.682578023Z" level=info msg="sanner return error: <nil>" arch=amd64 command=kill container=3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee name=kata-runtime pid=88652 sandbox=3a64b7e2935fdc7252d6c076cc67d8353f01c22ad63ba4a3da5dfd24e688b3ee source=virtcontainers subsystem=qmp
time="2020-06-25T15:56:39.860945424Z" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/rootfs"
time="2020-06-25T15:56:39.963845516Z" level=info msg="sanner return error: read unix @->/run/vc/vm/c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2/qmp.sock: use of closed network connection" arch=amd64 command=kill container=c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2 name=kata-runtime pid=88653 sandbox=c55b8022a7b7d8907d05733ed8284f232805c06af4d85defec77bdbc9e1186f2 source=virtcontainers subsystem=qmp

Proxy logs

No recent proxy problems found in system journal.

Shim logs

Recent shim problems found in system journal:

time="2020-06-25T15:57:17.282624025Z" level=error msg="forward signal failed" container=49054830e2e4eb950d2f3fd420397869b88d410cfd99cba7cf657cd53ba83326 error="rpc error: code = NotFound desc = Could not signal process: rpc error: code = NotFound desc = Process 03e3e622-a445-4bcd-bbe8-5aacf95dbe49 not found (container 49054830e2e4eb950d2f3fd420397869b88d410cfd99cba7cf657cd53ba83326)" exec-id=03e3e622-a445-4bcd-bbe8-5aacf95dbe49 name=kata-shim pid=296 signal=continued source=shim
time="2020-06-25T15:57:17.282677225Z" level=error msg="forward signal failed" container=862b776ff0488e2a2deffd768d0398ab78c958c813c32342f4bb0b155885b564 error="rpc error: code = Unknown desc = no such process" exec-id=22db903d-5901-4de3-82f0-492600e23307 name=kata-shim pid=645 signal=continued source=shim

Throttler logs

No recent throttler problems found in system journal.

---

Container manager details

Have docker, but it's not in use. Removing this section.

Have kubectl

Kubernetes

Output of "kubectl version":

Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.6", GitCommit:"d32e40e20d167e103faf894261614c5b45c44198", GitTreeState:"clean", BuildDate:"2020-05-20T13:16:24Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Error from server (NotFound): the server could not find the requested resource

Output of "kubectl config view":

apiVersion: v1
clusters: null
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

Output of "systemctl show kubelet":

Type=simple
Restart=on-failure
NotifyAccess=none
RestartUSec=5s
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
RuntimeMaxUSec=infinity
WatchdogUSec=0
WatchdogTimestampMonotonic=0
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=93008
ControlPID=0
FileDescriptorStoreMax=0
NFileDescriptorStore=0
StatusErrno=0
Result=success
UID=[not set]
GID=[not set]
NRestarts=0
ExecMainStartTimestamp=Thu 2020-06-25 15:57:29 UTC
ExecMainStartTimestampMonotonic=1589071502
E
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=infinity
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=524288
LimitNOFILESoft=1024
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=515470
LimitNPROCSoft=515470
LimitMEMLOCK=65536
LimitMEMLOCKSoft=65536
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=515470
LimitSIGPENDINGSoft=515470
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=0
Nice=0
IOSchedulingClass=0
IOSchedulingPriority=0
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardInputData=
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
LogRateLimitIntervalUSec=0
LogRateLimitBurst=0
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend
AmbientCapabilities=
DynamicUser=no
RemoveIPC=no
MountFlags=
PrivateTmp=no
PrivateDevices=no
ProtectKernelTunables=no
ProtectKernelModules=no
ProtectControlGroups=no
PrivateNetwork=no
PrivateUsers=no
PrivateMounts=no
ProtectHome=no
ProtectSystem=no
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=no
SystemCallErrorNumber=0
LockPersonality=no
RuntimeDirectoryPreserve=no
RuntimeDirectoryMode=0755
StateDirectoryMode=0755
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
MemoryDenyWriteExecute=no
RestrictRealtime=no
RestrictNamespaces=no
MountAPIVFS=no
KeyringMode=private
KillMode=process
KillSignal=15
FinalKillSignal=9
SendSIGKILL=yes
SendSIGHUP=no
WatchdogSignal=6
Id=kubelet.service
Names=kubelet.service
Requires=download-certificates.service sysinit.target configure-docker.service coreos-metadata.service system.slice crio.service docker.service configure-kubelet.service
Wants=configure-kubelet.service
WantedBy=multi-user.target
Conflicts=shutdown.target
Before=multi-user.target shutdown.target
After=mnt-nvme.mount system.slice systemd-journald.socket nvidia-driver.service download-certificates.service crio.service sysinit.target coreos-metadata.service configure-kubelet.service docker.service basic.target configure-docker.service
Description=Kubernetes Kubelet
LoadState=loaded
ActiveState=active
SubState=running
FragmentPath=/etc/systemd/system/kubelet.service
DropInPaths=/etc/systemd/system/kubelet.service.d/11-ecr-credentials.conf
UnitFileState=enabled
UnitFilePreset=enabled
StateChangeTimestamp=Thu 2020-06-25 15:57:29 UTC
StateChangeTimestampMonotonic=1589071546
InactiveExitTimestamp=Thu 2020-06-25 15:57:29 UTC
InactiveExitTimestampMonotonic=1589044156
ActiveEnterTimestamp=Thu 2020-06-25 15:57:29 UTC
ActiveEnterTimestampMonotonic=1589071546
ActiveExitTimestamp=Thu 2020-06-25 15:57:17 UTC
ActiveExitTimestampMonotonic=1576404795
InactiveEnterTimestamp=Thu 2020-06-25 15:57:17 UTC
InactiveEnterTimestampMonotonic=1576421813
CanStart=yes
CanStop=yes
CanReload=no
CanIsolate=no
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=no
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Thu 2020-06-25 15:57:29 UTC
ConditionTimestampMonotonic=1589041592
AssertTimestamp=Thu 2020-06-25 15:57:29 UTC
AssertTimestampMonotonic=1589041593
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
FailureActionExitStatus=-1
SuccessAction=none
SuccessActionExitStatus=-1
InvocationID=484fae32d73e45eb8b85ac92dde9af7e
CollectMode=inactive

Have crio

crio

Output of "crio --version":

crio version 1.17.4
commit: "16a05aafdf5d8fb84942ca60497818949b711cbc"

Output of "systemctl show crio":

Type=notify
Restart=always
NotifyAccess=main
RestartUSec=100ms
TimeoutStartUSec=infinity
TimeoutStopUSec=1min 30s
RuntimeMaxUSec=infinity
WatchdogUSec=0
WatchdogTimestampMonotonic=0
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=92271
ControlPID=0
FileDescriptorStoreMax=0
NFileDescriptorStore=0
StatusErrno=0
Result=success
UID=[not set]
GID=[not set]
NRestarts=0
ExecMainStartTimestamp=Thu 2020-06-25 15:57:17 UTC
ExecMainStartTimestampMonotonic=1576899973
ExecMainExitTimestampMonotonic=0
ExecMainPID=92271
ExecMainCode=0
ExecMainStatus=0
ExecStartPre={ path=/opt/ethos/bin/crio-setup.sh ; argv[]=/opt/ethos/bin/crio-setup.sh ; ignore_errors=no ; start_time=[Thu 2020-06-25 15:57:17 UTC] ; stop_time=[Thu 2020-06-25 15:57:17 UTC] ; pid=92236 ; code=exited ; status=0 }
ExecStart={ path=/opt/bin/crio ; argv[]=/opt/bin/crio $CRIO_FLAGS ; ignore_errors=no ; start_time=[Thu 2020-06-25 15:57:17 UTC] ; stop_time=[n/a] ; pid=92271 ; code=(null) ; status=0/0 }
ExecReload={ path=/bin/kill ; argv[]=/bin/kill -s HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
Slice=system.slice
ControlGroup=/system.slice/crio.service
MemoryCurrent=54329626624
CPUUsageNSec=17094508414547
TasksCurrent=537
IPIngressBytes=18446744073709551615
IPIngressPackets=18446744073709551615
IPEgressBytes=18446744073709551615
IPEgressPackets=18446744073709551615
Delegate=no
CPUAccounting=yes
CPUWeight=[not set]
StartupCPUWeight=[not set]
CPUShares=[not set]
StartupCPUShares=[not set]
CPUQuotaPerSecUSec=infinity
IOAccounting=no
IOWeight=[not set]
StartupIOWeight=[not set]
BlockIOAccounting=no
BlockIOWeight=[not set]
StartupBlockIOWeight=[not set]
MemoryAccounting=yes
MemoryMin=0
MemoryLow=0
MemoryHigh=infinity
MemoryMax=infinity
MemorySwapMax=infinity
MemoryLimit=infinity
DevicePolicy=auto
TasksAccounting=yes
TasksMax=infinity
IPAccounting=no
EnvironmentFiles=/etc/crio/crio.env (ignore_errors=no)
UMask=0022
LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=infinity
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=1048576
LimitNOFILESoft=1048576
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=1048576
LimitNPROCSoft=1048576
LimitMEMLOCK=65536
LimitMEMLOCKSoft=65536
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=515470
LimitSIGPENDINGSoft=515470
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=-999
Nice=0
IOSchedulingClass=0
IOSchedulingPriority=0
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardInputData=
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
LogRateLimitIntervalUSec=0
LogRateLimitBurst=0
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend
AmbientCapabilities=
DynamicUser=no
RemoveIPC=no
MountFlags=
PrivateTmp=no
PrivateDevices=no
ProtectKernelTunables=no
ProtectKernelModules=no
ProtectControlGroups=no
PrivateNetwork=no
PrivateUsers=no
PrivateMounts=no
ProtectHome=no
ProtectSystem=no
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=no
SystemCallErrorNumber=0
LockPersonality=no
RuntimeDirectoryPreserve=no
RuntimeDirectoryMode=0755
StateDirectoryMode=0755
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
MemoryDenyWriteExecute=no
RestrictRealtime=no
RestrictNamespaces=no
MountAPIVFS=no
KeyringMode=private
KillMode=control-group
KillSignal=15
FinalKillSignal=9
SendSIGKILL=yes
SendSIGHUP=no
WatchdogSignal=6
Id=crio.service
Names=crio.service
Requires=sysinit.target lvm2-lvmetad.service cri-logging-driver-watch.service network-online.target system.slice
RequiredBy=kubelet.service
WantedBy=crio-shutdown.service multi-user.target
Conflicts=shutdown.target
Before=shutdown.target multi-user.target crio-shutdown.service nvidia-driver.service kubelet.service
After=systemd-journald.socket sysinit.target lvm2-lvmetad.service cri-logging-driver-watch.service basic.target network-online.target system.slice
Documentation=https://github.com/kubernetes-sigs/cri-o/blob/master/contrib/systemd/crio.service
Description=Open Container Initiative Daemon
LoadState=loaded
ActiveState=active
SubState=running
FragmentPath=/etc/systemd/system/crio.service
UnitFileState=enabled
UnitFilePreset=enabled
StateChangeTimestamp=Thu 2020-06-25 15:57:29 UTC
StateChangeTimestampMonotonic=1589040337
InactiveExitTimestamp=Thu 2020-06-25 15:57:17 UTC
InactiveExitTimestampMonotonic=1576447476
ActiveEnterTimestamp=Thu 2020-06-25 15:57:29 UTC
ActiveEnterTimestampMonotonic=1589040337
ActiveExitTimestamp=Thu 2020-06-25 15:57:17 UTC
ActiveExitTimestampMonotonic=1576426491
InactiveEnterTimestamp=Thu 2020-06-25 15:57:17 UTC
InactiveEnterTimestampMonotonic=1576443523
CanStart=yes
CanStop=yes
CanReload=yes
CanIsolate=no
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=no
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Thu 2020-06-25 15:57:17 UTC
ConditionTimestampMonotonic=1576444709
AssertTimestamp=Thu 2020-06-25 15:57:17 UTC
AssertTimestampMonotonic=1576444709
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
FailureActionExitStatus=-1
SuccessAction=none
SuccessActionExitStatus=-1
InvocationID=0fcc1940426645e5b30c0781ea72482f
CollectMode=inactive

Output of "cat /etc/crio/crio.conf":

# The CRI-O configuration file specifies all of the available configuration
# options and command-line flags for the crio(8) OCI Kubernetes Container Runtime
# daemon, but in a TOML format that can be more easily modified and versioned.
#
# Please refer to crio.conf(5) for details of all configuration options.

# CRI-O supports partial configuration reload during runtime, which can be
# done by sending SIGHUP to the running process. Currently supported options
# are explicitly mentioned with: 'This option supports live configuration
# reload'.

# CRI-O reads its storage defaults from the containers-storage.conf(5) file
# located at /etc/containers/storage.conf. Modify this storage configuration if
# you want to change the system's defaults. If you want to modify storage just
# for CRI-O, you can change the storage configuration options here.
[crio]

# Path to the "root directory". CRI-O stores all of its data, including
# containers images, in this directory.
#root = "/home/sascha/.local/share/containers/storage"

# Path to the "run directory". CRI-O stores all of its state in this directory.
#runroot = "/tmp/1000"

# Storage driver used to manage the storage of images and containers. Please
# refer to containers-storage.conf(5) to see all available storage drivers.
storage_driver = "devicemapper"

# List to pass options to the storage driver. Please refer to
# containers-storage.conf(5) to see all available storage options.
storage_option = ["dm.directlvm_device=/dev/disk/azure/resource", "dm.mountopt=nodev", "dm.directlvm_device_force=true", "dm.basesize=50G"]
#]

# If set to false, in-memory locking will be used instead of file-based locking.
# **Deprecated** this option will be removed in the future.
file_locking = false

# Path to the lock file.
# **Deprecated** this option will be removed in the future.
file_locking_path = "/run/crio.lock"


# The crio.api table contains settings for the kubelet/gRPC interface.
[crio.api]

# Path to AF_LOCAL socket on which CRI-O will listen.
listen = "/var/run/crio/crio.sock"

# IP address on which the stream server will listen.
stream_address = "127.0.0.1"

# The port on which the stream server will listen.
stream_port = "0"

# Enable encrypted TLS transport of the stream server.
stream_enable_tls = false

# Path to the x509 certificate file used to serve the encrypted stream. This
# file can change, and CRI-O will automatically pick up the changes within 5
# minutes.
stream_tls_cert = ""

# Path to the key file used to serve the encrypted stream. This file can
# change, and CRI-O will automatically pick up the changes within 5 minutes.
stream_tls_key = ""

# Path to the x509 CA(s) file used to verify and authenticate client
# communication with the encrypted stream. This file can change, and CRI-O will
# automatically pick up the changes within 5 minutes.
stream_tls_ca = ""

# Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024.
grpc_max_send_msg_size = 16777216

# Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024.
grpc_max_recv_msg_size = 16777216

# The crio.runtime table contains settings pertaining to the OCI runtime used
# and options for how to set up and manage the OCI runtime.
[crio.runtime]

# A list of ulimits to be set in containers by default, specified as
# "<ulimit name>=<soft limit>:<hard limit>", for example:
# "nofile=1024:2048"
# If nothing is set here, settings will be inherited from the CRI-O daemon
#default_ulimits = [
#]

# default_runtime is the _name_ of the OCI runtime to be used as the default.
# The name is matched against the runtimes map below.
default_runtime = "runc"

# If true, the runtime will not use pivot_root, but instead use MS_MOVE.
no_pivot = false

# Path to the conmon binary, used for monitoring the OCI runtime.
# Ethos: The default value of `/usr/local/libexec/crio/conmon` is on the read-only
# filesystem. This binary is provided at the new value, `/opt/bin/conmon`
conmon = "/opt/bin/conmon"

# Cgroup setting for conmon
conmon_cgroup = "pod"

# Environment variable list for the conmon process, used for passing necessary
# environment variables to conmon or the runtime.
conmon_env = [
	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
]

# If true, SELinux will be used for pod separation on the host.
# Ethos: selinux must be disabled for kata to currently function.
selinux = false

# Path to the seccomp.json profile which is used as the default seccomp profile
# for the runtime. If not specified, then the internal default seccomp profile
# will be used.
seccomp_profile = "/etc/crio/seccomp.json"

# Used to change the name of the default AppArmor profile of CRI-O. The default
# profile name is "crio-default-" followed by the version string of CRI-O.
apparmor_profile = "crio-default"

# Cgroup management implementation used for the runtime.
cgroup_manager = "cgroupfs"

# List of default capabilities for containers. If it is empty or commented out,
# only the capabilities defined in the containers json file by the user/kube
# will be added.
# default_capabilities = [
# 	"CHOWN", 
# 	"DAC_OVERRIDE", 
# 	"FSETID", 
# 	"FOWNER", 
# 	"NET_RAW", 
# 	"SETGID", 
# 	"SETUID", 
# 	"SETPCAP", 
# 	"NET_BIND_SERVICE", 
# 	"SYS_CHROOT", 
# 	"KILL", 
# ]

# List of default sysctls. If it is empty or commented out, only the sysctls
# defined in the container json file by the user/kube will be added.
default_sysctls = [
]

# List of additional devices. specified as
# "<device-on-host>:<device-on-container>:<permissions>", for example: "--device=/dev/sdc:/dev/xvdc:rwm".
#If it is empty or commented out, only the devices
# defined in the container json file by the user/kube will be added.
additional_devices = [
]

# Path to OCI hooks directories for automatically executed hooks.
hooks_dir = [
  "/etc/containers/oci/hooks.d"
]

# List of default mounts for each container. **Deprecated:** this option will
# be removed in future versions in favor of default_mounts_file.
default_mounts = [
]

# Path to the file specifying the defaults mounts for each container. The
# format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads
# its default mounts from the following two files:
#
#   1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the
#      override file, where users can either add in their own default mounts, or
#      override the default mounts shipped with the package.
#
#   2) /usr/share/containers/mounts.conf: This is the default file read for
#      mounts. If you want CRI-O to read from a different, specific mounts file,
#      you can change the default_mounts_file. Note, if this is done, CRI-O will
#      only add mounts it finds in this file.
#
#default_mounts_file = ""

# Maximum number of processes allowed in a container.
pids_limit = 1024

# Maximum sized allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If it is positive, it must be >= 8192 to
# match/exceed conmon's read buffer. The file is truncated and re-opened so the
# limit is never exceeded.
log_size_max = -1

# Whether container output should be logged to journald in addition to the kuberentes log file
log_to_journald = false

# Path to directory in which container exit files are written to by conmon.
container_exits_dir = "/var/run/crio/exits"

# Path to directory for container attach sockets.
container_attach_socket_dir = "/var/run/crio"

# If set to true, all containers will run in read-only mode.
read_only = false

# Changes the verbosity of the logs based on the level it is set to. Options
# are fatal, panic, error, warn, info, and debug. This option supports live
# configuration reload.
log_level = "error"

# The default log directory where all logs will go unless directly specified by the kubelet
log_dir = "/var/log/crio/pods"

# The UID mappings for the user namespace of each container. A range is
# specified in the form containerUID:HostUID:Size. Multiple ranges must be
# separated by comma.
uid_mappings = ""

# The GID mappings for the user namespace of each container. A range is
# specified in the form containerGID:HostGID:Size. Multiple ranges must be
# separated by comma.
gid_mappings = ""

# The minimal amount of time in seconds to wait before issuing a timeout
# regarding the proper termination of the container.
ctr_stop_timeout = 0

# The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
# The runtime to use is picked based on the runtime_handler provided by the CRI.
# If no runtime_handler is provided, the runtime will be picked based on the level
# of trust of the workload.

# ManageNetworkNSLifecycle determines whether we pin and remove network namespace
# and manage its lifecycle.

# Ethos: `manage_network_ns_lifecycle` is added according to Kata docs
# https://github.com/kata-containers/packaging/blob/master/kata-deploy/scripts/kata-deploy.sh#L53-L72
# ManageNetworkNSLifecycle determines whether we pin and remove network namespace
# and manage its lifecycle
manage_network_ns_lifecycle = true


[crio.runtime.runtimes.runc]
runtime_path = "/usr/bin/runc"
runtime_type = "oci"

# runtime_type = "vm" is (probably) meant to be used when CRI-O is trying to run things made
# for containerd. If the runtime can't support OCI, then you can use the "vm" type to run
# it anyways.
# We use the "vm" runtime type here because virtio-fs performs terribly under "oci".
# I have absolutely no idea WHY this is the case because the docs don't provide any details,
# but I was told to try it in this Github issue comment and it worked:
# https://github.com/cri-o/cri-o/issues/3581#issuecomment-615467744
# It says "containerd" below, but that's just a shim Kata created to work under containerd,
# which we are pretending to be.
[crio.runtime.runtimes.kata-qemu]
runtime_path = "/opt/kata/bin/containerd-shim-kata-v2"
runtime_type = "vm"


# The crio.image table contains settings pertaining to the management of OCI images.
#
# CRI-O reads its configured registries defaults from the system wide
# containers-registries.conf(5) located in /etc/containers/registries.conf. If
# you want to modify just CRI-O, you can change the registries configuration in
# this file. Otherwise, leave insecure_registries and registries commented out to
# use the system's defaults from /etc/containers/registries.conf.
[crio.image]

# Default transport for pulling images from a remote container storage.
default_transport = "docker://"

# The path to a file containing credentials necessary for pulling images from
# secure registries. The file is similar to that of /var/lib/kubelet/config.json
global_auth_file = ""

# The image used to instantiate infra containers.
# This option supports live configuration reload.
pause_image = "k8s.gcr.io/pause:3.1"

# The path to a file containing credentials specific for pulling the pause_image from
# above. The file is similar to that of /var/lib/kubelet/config.json
# This option supports live configuration reload.
pause_image_auth_file = ""

# The command to run to have a container stay in the paused state.
# This option supports live configuration reload.
pause_command = "/pause"

# Path to the file which decides what sort of policy we use when deciding
# whether or not to trust an image that we've pulled. It is not recommended that
# this option be used, as the default behavior of using the system-wide default
# policy (i.e., /etc/containers/policy.json) is most often preferred. Please
# refer to containers-policy.json(5) for more details.
signature_policy = ""

# Controls how image volumes are handled. The valid values are mkdir, bind and
# ignore; the latter will ignore volumes entirely.
image_volumes = "mkdir"

# List of registries to be used when pulling an unqualified image (e.g.,
# "alpine:latest"). By default, registries is set to "docker.io" for
# compatibility reasons. Depending on your workload and usecase you may add more
# registries (e.g., "quay.io", "registry.fedoraproject.org",
# "registry.opensuse.org", etc.).
registries = [
  "docker.io"
]


# The crio.network table containers settings pertaining to the management of
# CNI plugins.
[crio.network]

# Path to the directory where CNI configuration files are located.
network_dir = "/etc/cni/net.d/"

# Paths to directories where CNI plugin binaries are located.
plugin_dirs = [
	"/opt/cni/bin/",
]

Have containerd, but it's not being used. Removing this section.

---

Packages

No dpkg
No rpm

---

Additional details

When runtime_type is set to vm, pods don't appear to clean up correctly. I had initially thought this was due to devmapper cleanup failures, but I see this same issue when we're using vfs as our storage driver. Deleted pods look like this:

❯ kubectl get pods qemu-guest-empty-dir-6b54487cbf-6scmt
NAME                                    READY   STATUS        RESTARTS   AGE
qemu-guest-empty-dir-6b54487cbf-6scmt   0/11    Terminating   0          32m

vmss-agent-kata1-test-fhlxn000000 ~ # crictl pods | grep qemu-guest-empty-dir-6b54487cbf-6scmt
aba6099d1e764       31 minutes ago       NotReady            qemu-guest-empty-dir-6b54487cbf-6scmt          default             0

vmss-agent-kata1-test-fhlxn000000 ~ # crictl inspectp aba6099d1e764
{
  "status": {
    "id": "aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622",
    "metadata": {
      "attempt": 0,
      "name": "qemu-guest-empty-dir-6b54487cbf-6scmt",
      "namespace": "default",
      "uid": "d25663aa-3f4b-4933-9588-017912b064ee"
    },
    "state": "SANDBOX_NOTREADY",
    "createdAt": "2020-06-25T18:09:42.438868293Z",
    "network": {
      "additionalIps": [],
      "ip": "172.16.10.232"
    },
    "linux": {
      "namespaces": {
        "options": {
          "ipc": "POD",
          "network": "POD",
          "pid": "CONTAINER"
        }
      }
    },
    "labels": {
      "app": "qemu-guest-empty-dir",
      "io.kubernetes.container.name": "POD",
      "io.kubernetes.pod.name": "qemu-guest-empty-dir-6b54487cbf-6scmt",
      "io.kubernetes.pod.namespace": "default",
      "io.kubernetes.pod.uid": "d25663aa-3f4b-4933-9588-017912b064ee",
      "pod-template-hash": "6b54487cbf"
    },
    "annotations": {
      "kubernetes.io/config.seen": "2020-06-25T18:09:37.667375818Z",
      "kubernetes.io/config.source": "api",
      "kubernetes.io/psp": "privileged"
    },
    "runtimeHandler": ""
  }
}

vmss-agent-kata1-test-fhlxn000000 ~ # crictl rmp aba6099d1e764
ERRO[0000] removing the pod sandbox "aba6099d1e764" failed: rpc error: code = Unknown desc = failed to delete container k8s_qemu-4_qemu-guest-empty-dir-6b54487cbf-6scmt_default_d25663aa-3f4b-4933-9588-017912b064ee_0 in pod sandbox aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622: Could not retrieve container information
FATA[0000] unable to remove sandbox(es)

vmss-agent-kata1-test-fhlxn000000 ~ # journalctl -u crio | grep aba6099d1e764
# ...snip...
Jun 25 18:38:55 vmss-agent-kata1-test-fhlxn000000 kata[826372]: time="2020-06-25T18:38:55.508535988Z" level=error msg="hotplug memory" ID=aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622 error="QMP command failed: a used vhost backend has no free memory slots left" source=virtcontainers subsystem=qemu
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 kata[826372]: time="2020-06-25T18:38:56.440722019Z" level=warning msg="stop container failed" container=92ae93beb0934421b65af6aa20d89309fcbcfbc935e0e72407668f3e63063e8b error="open /var/lib/vc/sbs/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/a4418cdaeba9f2ec8163123f004d9291c0db5cb9cff309740384a2251c484d2f/config.json: no such file or directory"
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 crio[825327]: time="2020-06-25T18:38:56.440722019Z" level=warning msg="stop container failed" container=92ae93beb0934421b65af6aa20d89309fcbcfbc935e0e72407668f3e63063e8b error="open /var/lib/vc/sbs/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/a4418cdaeba9f2ec8163123f004d9291c0db5cb9cff309740384a2251c484d2f/config.json: no such file or directory"
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 kata[826372]: time="2020-06-25T18:38:56.564626325Z" level=warning msg="stop container failed" container=f45503abfd061c9c9bb79a8bce8d6be8d313c2ce195a555b231b1c50c88020a5 error="open /var/lib/vc/sbs/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/dcfc0a85d12dcd9de16e0664289391ff94c15871405bd45a24f36fdaf1fc7fd6/config.json: no such file or directory"
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 crio[825327]: time="2020-06-25T18:38:56.564626325Z" level=warning msg="stop container failed" container=f45503abfd061c9c9bb79a8bce8d6be8d313c2ce195a555b231b1c50c88020a5 error="open /var/lib/vc/sbs/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/dcfc0a85d12dcd9de16e0664289391ff94c15871405bd45a24f36fdaf1fc7fd6/config.json: no such file or directory"
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 kata[826372]: time="2020-06-25T18:38:56.669598601Z" level=warning msg="stop container failed" container=6acc4386d2d618ef69930167151a9b3c84f323d03a8fd9572668ec0dac3ca8ce error="open /var/lib/vc/sbs/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/b876441904e8a97dc561a53a24e04d2314d19f0f302800a75f2d11328ded40e6/config.json: no such file or directory"
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 crio[825327]: time="2020-06-25T18:38:56.669598601Z" level=warning msg="stop container failed" container=6acc4386d2d618ef69930167151a9b3c84f323d03a8fd9572668ec0dac3ca8ce error="open /var/lib/vc/sbs/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/b876441904e8a97dc561a53a24e04d2314d19f0f302800a75f2d11328ded40e6/config.json: no such file or directory"
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 kata[826372]: time="2020-06-25T18:38:56.754622734Z" level=warning msg="stop container failed" container=0361ca199a575af876e57bfdf643d2106a0310af0cc1951d1b31c12ed38432cb error="open /var/lib/vc/sbs/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/c083e3e0f67b8aed5e63b2d4a979c3a57f9e88f6934eb84fa42ab331e581444c/config.json: no such file or directory"
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 crio[825327]: time="2020-06-25T18:38:56.754622734Z" level=warning msg="stop container failed" container=0361ca199a575af876e57bfdf643d2106a0310af0cc1951d1b31c12ed38432cb error="open /var/lib/vc/sbs/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/c083e3e0f67b8aed5e63b2d4a979c3a57f9e88f6934eb84fa42ab331e581444c/config.json: no such file or directory"
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 kata[826372]: time="2020-06-25T18:38:56.886656939Z" level=warning msg="stop container failed" container=8ac3626bfb5e2f7a98a9e4a97b0701ebabcb73e9ea0dd63a84f96903178a51ba error="open /var/lib/vc/sbs/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/d40a9b6920bcc77625f246ac6c9cb1932a084c8a544cc1e17f0e009066f71dd3/config.json: no such file or directory"
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 crio[825327]: time="2020-06-25T18:38:56.886656939Z" level=warning msg="stop container failed" container=8ac3626bfb5e2f7a98a9e4a97b0701ebabcb73e9ea0dd63a84f96903178a51ba error="open /var/lib/vc/sbs/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/d40a9b6920bcc77625f246ac6c9cb1932a084c8a544cc1e17f0e009066f71dd3/config.json: no such file or directory"
Jun 25 18:38:56 vmss-agent-kata1-test-fhlxn000000 crio[825327]: time="2020-06-25 18:38:56.959039419Z" level=info msg="Got pod network &{Name:qemu-guest-empty-dir-6b54487cbf-6scmt Namespace:default ID:aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622 NetNS:/var/run/netns/1a82e165-dbe9-423a-babb-0594f3a56b0a Networks:[{Name:cilium-portmap Ifname:eth0}] RuntimeConfig:map[cilium-portmap:{IP: MAC: PortMappings:[] Bandwidth:<nil> IpRanges:[]}]}"
Jun 25 18:38:57 vmss-agent-kata1-test-fhlxn000000 crio[825327]: level=debug msg="Processing CNI DEL request &skel.CmdArgs{ContainerID:\"aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622\", Netns:\"/var/run/netns/1a82e165-dbe9-423a-babb-0594f3a56b0a\", IfName:\"eth0\", Args:\"IgnoreUnknown=1;K8S_POD_NAMESPACE=default;K8S_POD_NAME=qemu-guest-empty-dir-6b54487cbf-6scmt;K8S_POD_INFRA_CONTAINER_ID=aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622\", Path:\"/opt/cni/bin/\", StdinData:[]uint8{0x7b, 0x22, 0x63, 0x6e, 0x69, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, 0x22, 0x30, 0x2e, 0x33, 0x2e, 0x31, 0x22, 0x2c, 0x22, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x3a, 0x22, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2d, 0x70, 0x6f, 0x72, 0x74, 0x6d, 0x61, 0x70, 0x22, 0x2c, 0x22, 0x74, 0x79, 0x70, 0x65, 0x22, 0x3a, 0x22, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2d, 0x63, 0x6e, 0x69, 0x22, 0x7d}}" eventUUID=20c2df77-b713-11ea-948d-000d3ae3acd4 subsys=cilium-cni
Jun 25 18:38:57 vmss-agent-kata1-test-fhlxn000000 crio[825327]: level=debug msg="CNI Args: types.ArgsSpec{CommonArgs:types.CommonArgs{IgnoreUnknown:true}, IP:net.IP(nil), K8S_POD_NAME:\"qemu-guest-empty-dir-6b54487cbf-6scmt\", K8S_POD_NAMESPACE:\"default\", K8S_POD_INFRA_CONTAINER_ID:\"aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622\"}" eventUUID=20c2df77-b713-11ea-948d-000d3ae3acd4 subsys=cilium-cni
Jun 25 18:38:57 vmss-agent-kata1-test-fhlxn000000 crio[825327]: time="2020-06-25 18:38:57.080383894Z" level=info msg="Finish piping stdout of container \"aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622\""
Jun 25 18:38:57 vmss-agent-kata1-test-fhlxn000000 crio[825327]: time="2020-06-25 18:38:57.080486695Z" level=info msg="Finish piping stderr of container \"aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622\""
Jun 25 18:38:57 vmss-agent-kata1-test-fhlxn000000 kata[826372]: time="2020-06-25T18:38:57.11869796Z" level=error msg="failed to stop sandbox" sandbox=aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622
Jun 25 18:38:57 vmss-agent-kata1-test-fhlxn000000 kata[826372]: time="2020-06-25T18:38:57.118755061Z" level=error msg="failed to delete sandbox" sandbox=aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622
Jun 25 18:38:57 vmss-agent-kata1-test-fhlxn000000 crio[825327]: time="2020-06-25T18:38:57.118697960Z" level=error msg="failed to stop sandbox" sandbox=aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622
Jun 25 18:38:57 vmss-agent-kata1-test-fhlxn000000 crio[825327]: time="2020-06-25T18:38:57.118755061Z" level=error msg="failed to delete sandbox" sandbox=aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622

vmss-agent-kata1-test-fhlxn000000 ~ # ps aux -H | grep aba6099d1e764
root      826372  3.3  0.1 938612 70876 ?        Sl   18:09   1:05   /opt/kata/bin/containerd-shim-kata-v2 -namespace default -address  -publish-binary /opt/bin/crio -id aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622
root      826384  0.2  0.1 18960472 105624 ?     Sl   18:09   0:04     /opt/kata/bin/virtiofsd --fd=3 -o source=/run/kata-containers/shared/sandboxes/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622 -o cache=always --syslog -o no_posix_lock -d
root      826389  8.7 10.3 14246752 6812176 ?    Sl   18:09   2:51   /opt/kata/bin/qemu-virtiofs-system-x86_64 -name sandbox-aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622 -uuid 47ea85f0-3c89-41fb-9138-e4a03c154d09 -machine pc,accel=kvm,kernel_irqchip,nvdimm -cpu host,pmu=off -qmp unix:/run/vc/vm/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/qmp.sock,server,nowait -m 8192M,slots=50,maxmem=65445M -device pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile= -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device virtconsole,chardev=charconsole0,id=console0 -chardev socket,id=charconsole0,path=/run/vc/vm/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/console.sock,server,nowait -device nvdimm,id=nv0,memdev=mem0 -object memory-backend-file,id=mem0,mem-path=/opt/kata/share/kata-containers/kata-containers-image_clearlinux_1.10.0_agent_a8007c2969.img,size=134217728 -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng,rng=rng0,romfile= -device vhost-vsock-pci,disable-modern=true,vhostfd=3,id=vsock-983022640,guest-cid=983022640,romfile= -chardev socket,id=char-e6de3e69140caae1,path=/run/vc/vm/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/vhost-fs.sock -device vhost-user-fs-pci,chardev=char-e6de3e69140caae1,tag=kataShared,cache-size=0M -netdev tap,id=network-0,vhost=on,vhostfds=4,fds=5 -device driver=virtio-net-pci,netdev=network-0,mac=ee:a4:9f:ec:08:5d,disable-modern=true,mq=on,vectors=4,romfile= -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config -nodefaults -nographic -daemonize -object memory-backend-file,id=dimm1,size=8192M,mem-path=/dev/shm,share=on -numa node,memdev=dimm1 -kernel /opt/kata/share/kata-containers/vmlinuz-virtio-fs-v0.3-60 -append tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 debug systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=16 agent.use_vsock=true systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket -pidfile /run/vc/vm/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/pid -D /run/vc/vm/aba6099d1e76445e02815cfdc29e6382d88f23b48566a21c9b65b1d97d8ef622/qemu.log -smp 1,cores=1,threads=1,sockets=16,maxcpus=16

[fidencio]

Evan, I'll try to reproduce your issue and at some point Tomorrow.

I'd just like to mention that:

1. It looks like a legit issue and it's weird to happen only with the VM runtime type;
2. VM runtime type is what you should be using anyways, as using shimv2 is the general direction of the kata project;
3. /cc @dagrh, for inputs on the QEMU side of the things;
4. Not sure how related to this it can be, but I've faced some issues with cri-o cleaning things up when shutting down, which may (or may not) have influence on this (runtime_vm: Ignore ttrpc.ErrClosed when shutting the container down cri-o/cri-o#3924)

[evanfoster]

I upgraded Kata to 1.11.2. I'm still getting the same failure, but I did get some extra information out of the logs:

Jul 06 19:39:45 vmss-agent-kata1-test-jfitk000000 kata[33002]: time="2020-07-06T19:39:45.141095323Z" level=error msg="hotplug memory" ID=3fda8cfbc31b503aad6de1f9ffd0a83c72c84fadb72434a7015a669c0f4522f0 error="QMP command failed: a used vhost backend has no free memory slots left" source=virtcontainers subsystem=qemu
Jul 06 19:39:45 vmss-agent-kata1-test-jfitk000000 kata[33002]: time="2020-07-06T19:39:45.847940296Z" level=error msg="Unable to add memory device mem7: QMP command failed: a used vhost backend has no free memory slots left" ID=3fda8cfbc31b503aad6de1f9ffd0a83c72c84fadb72434a7015a669c0f4522f0 source=virtcontainers subsystem=qmp

[devimc]

@evanfoster Could you try with small chunks of memory? the next yaml works for me and it's based on your example but with small chunks of memory

EDIT: set hypervisor.qemu.memory_slots to 15

apiVersion: apps/v1
kind: Deployment
metadata:
  name: qemu-guest-empty-dir
spec:
  selector:
    matchLabels:
      app: qemu-guest-empty-dir
  replicas: 1
  template:
    metadata:
      labels:
        app: qemu-guest-empty-dir
    spec:
      containers:
        - image: alpine
          name: qemu-0
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
        - image: alpine
          name: qemu-1
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
        - image: alpine
          name: qemu-2
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
        - image: alpine
          name: qemu-3
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
        - image: alpine
          name: qemu-4
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
        - image: alpine
          name: qemu-5
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
        - image: alpine
          name: qemu-6
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
        - image: alpine
          name: qemu-7
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
        - image: alpine
          name: qemu-8
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
        - image: alpine
          name: qemu-9
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
        - image: alpine
          name: qemu-10
          command: ["sh"]
          stdin: true
          volumeMounts:
            - name: test-volume
              mountPath: /test-volume
          tty: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "128Mi"
              cpu: "500m"
      runtimeClassName: kata
      restartPolicy: Always
      volumes:
        - name: test-volume
          emptyDir: {}

[evanfoster]

No joy, unfortunately. I set hypervisor.qemu.memory_slots to 15, applied the above YAML (after changing the runtimeClassName and nodeSelector), but the resulting pod still fails to come all the way up. It's failing with CreateContainerError. Here's what I see in the logs:

Jul 07 21:22:18 vmss-agent-kata1-test-jfitk000000 crio[4141]: time="2020-07-07 21:22:18.063257895Z" level=error msg="Failed to pipe stdout of container \"0ff48f4f34aee761bc47c4f1890f0fd210937866d58928fc0e82d69ebe7e3770\"" error="reading from a closed fifo"
Jul 07 21:22:19 vmss-agent-kata1-test-jfitk000000 kata[87409]: time="2020-07-07T21:22:19.079684005Z" level=error msg="Unable to add memory device mem7: QMP command failed: a used vhost backend has no free memory slots left" ID=88a3d4ce4595c593b1e45cfe09295a8277bb93be6a899dbbc4b7917c590f6204 source=virtcontainers subsystem=qmp
Jul 07 21:22:19 vmss-agent-kata1-test-jfitk000000 crio[4141]: time="2020-07-07T21:22:19.079684005Z" level=error msg="Unable to add memory device mem7: QMP command failed: a used vhost backend has no free memory slots left" ID=88a3d4ce4595c593b1e45cfe09295a8277bb93be6a899dbbc4b7917c590f6204 source=virtcontainers subsystem=qmp
Jul 07 21:22:19 vmss-agent-kata1-test-jfitk000000 crio[4141]: time="2020-07-07T21:22:19.080366308Z" level=error msg="hotplug memory" ID=88a3d4ce4595c593b1e45cfe09295a8277bb93be6a899dbbc4b7917c590f6204 error="QMP command failed: a used vhost backend has no free memory slots left" source=virtcontainers subsystem=qemu
Jul 07 21:22:19 vmss-agent-kata1-test-jfitk000000 crio[4141]: time="2020-07-07T21:22:19.080439608Z" level=warning msg="failed to cleanup rootfs mount" error="no such file or directory"
Jul 07 21:22:19 vmss-agent-kata1-test-jfitk000000 kata[87409]: time="2020-07-07T21:22:19.080366308Z" level=error msg="hotplug memory" ID=88a3d4ce4595c593b1e45cfe09295a8277bb93be6a899dbbc4b7917c590f6204 error="QMP command failed: a used vhost backend has no free memory slots left" source=virtcontainers subsystem=qemu

[evanfoster]

I realized I wasn't capturing debug logs in my original post. This gist has the output of journalctl -t kata -f from the moment my repro-case pod was created to when k8s reported the pod as stuck in CreateContainerError.

[devimc]

@evanfoster thanks, that's a good log!, could you resize /dev/shm and try again?

# mount -o remount,size=6g  /dev/shm

[devimc]

@evanfoster make sure /dev/shm was resized. df -h | grep "/dev/shm"

[evanfoster]

No joy again, unfortunately.

vmss-agent-kata1-test-jfitk000000 ~ # grep 'memory_slots =' /etc/kata-containers/configuration.toml
memory_slots = 15
vmss-agent-kata1-test-jfitk000000 ~ # df -h /dev/shm
Filesystem      Size  Used Avail Use% Mounted on
tmpfs           6.0G  345M  5.7G   6% /dev/shm

Here are the logs from this attempt: https://gist.github.com/evanfoster/12a3c8c4fe41068a50fc764c6816df84

[dagrh]

'a used vhost backend has no free memory slots left'
oh that's fun.
vhost_user has a limit on the number of memory devices that the virtual devices can map; it used to be quite small (8?) - it's VERY recently been made configurable in qemu (see qemu 6b0eff1 that went in a few weeks ago).
I'm guessing Kata is hotplugging a DIMM for each container in the pod and hitting this limit.
I've not looked at that new configurable feature, but perhaps that's one way out.

[amshinde]

@evanfoster Curious if you were able to try this out with containerd.

[evanfoster]

@amshinde I haven't done so yet. The nodes I'm testing on have containerd, but all of the plumbing is set up to use CRI-O. I'll see if I can give that a whirl, but it may take me a bit.

@dagrh I'm guessing I'd also want b650d5f, right? If so, then I might try to build and test that.

EDIT: Oops, I might have a hard time trying out b650d5f. It's not present at https://gitlab.com/virtio-fs/qemu and I don't like my chances of cherry-picking it.

EDIT: Wait a moment, I can just run using 9p instead of virtio-fs. I'll give that a whirl tomorrow.

[amshinde]

@evanfoster Just gave this is a shot with containerd (reducing cpu limits due to a smaller machine). I got the the error you were seeing initially - not enough memory slots. I then increased hypervisor.qemu.memory_slots to 15. I could see all the 10 containers in the pod come up. This was with 9p, I'll try with virtiofs next. Will also try to setup crio next.

[amshinde]

@evanfoster I confirm I can see the a used vhost backend has no free memory slots left error with virtiofs inspite of increasing the memory slots in kata configuration.toml.
@dagrh I suppose this is the commit that would possibly fix this: qemu/qemu@6b0eff1

[amshinde]

@dagrh @fidencio I tried building qemu from master, but I am seeing errors
qemu-virtiofs-system-x86_64: -device vhost-user-fs-pci,chardev=char-d49 e522a102c2b68,tag=kataShared,cache-size=1024M,romfile=: Property '.cache-size. Looks like some virtiofs properties have been deprecated.

@fidencio This ties into my previous request for moving to qemu 5.0 for virtiofs and having kata-runtime work with the upstream virtiofsd.

[evanfoster]

Ah, it looks like pods started with 9p and qemu-system-x86_64. I think that my previous testing was being skewed by #2816. The issue only pops up when running with virtio-fs which aligns with what @amshinde is seeing.

[evanfoster]

Is there any way I can be of assistance? I'm happy to help out however I can.

[amshinde]

@evanfoster We need to port qemu to 5.0 with any upstream changes required.
@dagrh Is taking a look at this at the moment.

[dagrh]

I can trigger the same error on qemu 4.2 (without kata) by adding:
-object memory-backend-memfd,id=mem1,size=256M,share=on -device pc-dimm,id=dimm1,memdev=mem1
-object memory-backend-memfd,id=mem2,size=256M,share=on -device pc-dimm,id=dimm2,memdev=mem2
-object memory-backend-memfd,id=mem3,size=256M,share=on -device pc-dimm,id=dimm3,memdev=mem3
-object memory-backend-memfd,id=mem4,size=256M,share=on -device pc-dimm,id=dimm4,memdev=mem4
-object memory-backend-memfd,id=mem5,size=256M,share=on -device pc-dimm,id=dimm5,memdev=mem5
-object memory-backend-memfd,id=mem6,size=256M,share=on -device pc-dimm,id=dimm6,memdev=mem6
-object memory-backend-memfd,id=mem7,size=256M,share=on -device pc-dimm,id=dimm7,memdev=mem7

and it gives me the error:
qemu-system-x86_64: -device pc-dimm,id=dimm7,memdev=mem7: a used vhost backend has no free memory slots left

and that's working on current head qemu; so it does look like that got fixed.

[dagrh]

I've just created a branch based off qemu 5.0 but with the extra slot stuff and our dax code;
https://gitlab.com/virtio-fs/qemu/-/tree/qemu5.0-virtiofs-dax

please try and let me know if that fixes it.

[evanfoster]

It works! I'm seeing a pod with 11 containers fully start.

[dagrh]

Excellent! - @amshinde what do you want us to do here, do you want to hold this open until kata updates the qemu version?

[amshinde]

Thanks @dagrh for creating the branch. Yes, lets keep this open, until we move to the branch. I'll close this once move to that branch is complete.

[amshinde]

The qemu branch with the fix has been merged in kata. I have verified that the pod now works with more than 10 containers with virtio-fs. I am going to close this. With this fix is not yet implemented for clh, I am going to open a separate issue to track it.

cc @dagrh @jcvenegas