Retry interval of failed volume snapshot creation or deletion does not double after each failure: v6.0.1

[ambiknai]

What happened:

Created VolumeSnapshot but the request failed due to authorisation issue in storage provider. In logs, I could see frequent calls to CreateSnapshot method. Ad per doc, it should double after each failure but logs doesn't show that behaviour.

What you expected to happen:
retry interval of failed volume snapshot creation or deletion should double after each failure

How to reproduce it:

Create a negative test scenario where VolumeSnapshot Creation fails and observe csi-snapshotter sidecar logs.

Anything else we need to know?:

cat csi-snapshotter.log | grep "GRPC call: /csi.v1.Controller/CreateSnapshot"
I1103 09:23:10.412875       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:12.306660       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:12.477653       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:12.785050       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:12.943098       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:13.124844       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:13.700102       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:14.300774       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:14.904655       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:15.504961       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:16.101649       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:16.704480       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:17.303818       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:17.904957       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:18.524977       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:19.100899       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:19.701028       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:20.302357       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:20.903176       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:21.502685       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:22.101407       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:22.701141       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:23.306374       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:23.902031       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:24.546378       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:25.104353       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:25.706340       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:26.304882       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:26.902224       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:27.500703       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:28.100920       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:28.705816       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot

csi-snapshotter has errors logged

I1103 09:23:10.412875       1 connection.go:183] GRPC call: /csi.v1.Controller/CreateSnapshot
I1103 09:23:10.412881       1 connection.go:184] GRPC request: {"name":"snapshot-b9eb23d0-cd0d-47e9-a73f-da6d2132bde1","source_volume_id":"r014-41301bc5-7acf-4013-aaae-386ae5cbd5f4"}
I1103 09:23:10.426415       1 snapshot_controller_base.go:162] enqueued "snapcontent-b9eb23d0-cd0d-47e9-a73f-da6d2132bde1" for sync
I1103 09:23:12.279782       1 connection.go:186] GRPC response: {}
I1103 09:23:12.279876       1 connection.go:187] GRPC error: rpc error: code = Internal desc = {RequestID: 556ec084-4b68-4bd7-bd9f-fcc5f44bccaf , Code: InternalError, Description: Internal error occurred%!(EXTRA string=creation), BackendError: {Code:SnapshotSpaceOrderFailed, Type:ProvisioningFailed, Description:Snapshot space order failed for the given volume ID, BackendError:Trace Code:556ec084-4b68-4bd7-bd9f-fcc5f44bccaf, The user is not authorized Please check Check access permissions and try again., RC:500}, Action: Please check 'BackendError' tag for more details}
I1103 09:23:12.279895       1 snapshot_controller.go:324] createSnapshotWrapper: CreateSnapshot for content snapcontent-b9eb23d0-cd0d-47e9-a73f-da6d2132bde1 returned error: rpc error: code = Internal desc = {RequestID: 556ec084-4b68-4bd7-bd9f-fcc5f44bccaf , Code: InternalError, Description: Internal error occurred%!(EXTRA string=creation), BackendError: {Code:SnapshotSpaceOrderFailed, Type:ProvisioningFailed, Description:Snapshot space order failed for the given volume ID, BackendError:Trace Code:556ec084-4b68-4bd7-bd9f-fcc5f44bccaf, The user is not authorized Please check Check access permissions and try again., RC:500}, Action: Please check 'BackendError' tag for more details}

External-Snapshotter version : v6.0.1

Related PR for reference : #651

Environment:

• Driver version:
• Kubernetes version (use kubectl version): 1.25
• OS (e.g. from /etc/os-release):
• Kernel (e.g. uname -a):
• Install tools:
• Others:

[xing-yang]

@zhucan Can you take a look?

[zhucan]

@xing-yang @ambiknai

external-snapshotter/pkg/sidecar-controller/snapshot_controller_base.go

Line 107 in 09a98bc

if newSnapContent.Status != nil && newSnapContent.Status.Error != nil {

if create the snapshot failed(and the err is csi final err), it wiil remove the finalizer from the content(it is the update function) and the content.status.err is nil, the content will be readded to the queue again. if we don't add this conditions to check the content.status.err, it will not be readded to the queue.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[avivlevitski-vlz]

Workaround solution:
It's apparent only when adding the sidecar's optional argument: timeout (for example: "--timeout=60s"). The retry interval takes place as expected.

[gfariasalves-ionos]

After some debugging we noticed some details that might be affecting the workflow:

external-snapshotter/pkg/sidecar-controller/snapshot_controller.go

Line 304 in e746d07

content, err = ctrl.setAnnVolumeSnapshotBeingCreated(content)

When creating a snapshot, ctrl.setAnnVolumeSnapshotBeingCreated() and ctrl.removeAnnVolumeSnapshotBeingCreated() are called with content. The annotation is used on ResourceEventHandlerFuncs's UpdateFunc() for the exponential backoff in

external-snapshotter/pkg/sidecar-controller/snapshot_controller_base.go

Line 99 in e746d07

UpdateFunc: func(oldObj, newObj interface{}) {

ResourceEventHandlerFuncs is a implementation of ResourceEventHandler, whose method OnUpdate has the following documentation:

external-snapshotter/vendor/k8s.io/client-go/tools/cache/controller.go

Lines 203 to 208 in e746d07

	// * OnUpdate is called when an object is modified. Note that oldObj is the
	// last known state of the object-- it is possible that several changes
	// were combined together, so you can't use this to see every single
	// change. OnUpdate is also called when a re-list happens, and it will
	// get called even if nothing changed. This is useful for periodically
	// evaluating or syncing something.

Considering the object is modified more than once during the workflow (for example when there is an error), it might be possible that oldObj doesn't have the annotation set anymore and the check in line 111 doesn't really work.

external-snapshotter/pkg/sidecar-controller/snapshot_controller_base.go

Line 111 in e746d07

if !newExists && oldExists {

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[torredil]

/reopen

[k8s-ci-robot]

@torredil: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[xing-yang]

/reopen

[k8s-ci-robot]

@xing-yang: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ambiknai]

/reopen

[k8s-ci-robot]

@ambiknai: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sameshai]

@zhucan @xing-yang @gfariasalves-ionos we have tried to revert to original fix but still issue does exist.

Can we get help from community to fix this ASAP ? This is big issue causing DDOS in case we have scenarios were source volume was deleted or the volume is not attached for the respective snapshot and snapshot content object.

This can be of great concern for any consumer of this sidecar.

diff --git a/pkg/sidecar-controller/snapshot_controller_base.go b/pkg/sidecar-controller/snapshot_controller_base.go
index 60b30e7a..88c5b10f 100644
--- a/pkg/sidecar-controller/snapshot_controller_base.go
+++ b/pkg/sidecar-controller/snapshot_controller_base.go
@@ -104,13 +104,17 @@ func NewCSISnapshotSideCarController(
                                // and CSI CreateSnapshot will be called again without exponential backoff.
                                // So we are skipping the re-queue here to avoid CreateSnapshot being called without exponential backoff.
                                newSnapContent := newObj.(*crdv1.VolumeSnapshotContent)
-                               if newSnapContent.Status != nil && newSnapContent.Status.Error != nil {
-                                       oldSnapContent := oldObj.(*crdv1.VolumeSnapshotContent)
-                                       _, newExists := newSnapContent.ObjectMeta.Annotations[utils.AnnVolumeSnapshotBeingCreated]
-                                       _, oldExists := oldSnapContent.ObjectMeta.Annotations[utils.AnnVolumeSnapshotBeingCreated]
-                                       if !newExists && oldExists {
-                                               return
-                                       }
+                               oldSnapContent := oldObj.(*crdv1.VolumeSnapshotContent)
+                               klog.V(5).Infof("newSnapContent %+v", newSnapContent)
+                               klog.V(5).Infof("oldSnapContent %+v", oldSnapContent)
+                               klog.V(5).Infof("newSnapContent status %+v", newSnapContent.Status)
+                               klog.V(5).Infof("oldSnapContent status %+v", oldSnapContent.Status)
+                               _, newExists := newSnapContent.ObjectMeta.Annotations[utils.AnnVolumeSnapshotBeingCreated]
+                               _, oldExists := oldSnapContent.ObjectMeta.Annotations[utils.AnnVolumeSnapshotBeingCreated]
+                               klog.V(5).Infof("newExists %v", newExists)
+                               klog.V(5).Infof("oldExists %v", oldExists)
+                               if !newExists && oldExists {
+                                       return
                                }
                                ctrl.enqueueContentWork(newObj)
                        },

[xing-yang]

/remove-lifecycle rotten