Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate Docker v1.11 #23397

Closed
4 of 5 tasks
vishh opened this issue Mar 23, 2016 · 43 comments
Closed
4 of 5 tasks

Validate Docker v1.11 #23397

vishh opened this issue Mar 23, 2016 · 43 comments
Assignees
@timstclair
Labels
area/docker priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/node Categorizes an issue or PR as relevant to SIG Node.
Milestone
next-candidate

Comments

@vishh
Copy link
Contributor

vishh commented Mar 23, 2016
edited by timstclair
Loading

Docker v1.11 rcs are starting to show up. Its time to get started with the validation.

https://github.com/docker/docker/releases/tag/v1.11.0-rc1

cc @kubernetes/sig-node

EDIT(timstclair):

TASKS:

  • e2e tests pass
  • performance analysis
  • startup tests (bootstrap, restart)
  • live upgrade successful
  • 1 week soak tests
@vishh vishh added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/node Categorizes an issue or PR as relevant to SIG Node. labels Mar 23, 2016
@vishh vishh added this to the next-candidate milestone Mar 23, 2016
@timstclair
Copy link

xref #22765 - automate this process

@luxas
Copy link
Member

luxas commented Mar 24, 2016

The really big change here is that you need four binaries instead of one: docker, runc, containerd, containerd-shim if I recall correctly.
That may cause issues

@vishh
Copy link
Contributor Author

vishh commented Mar 24, 2016

The salt script uses packages. So multiple binaries should not be an issue
I think.

On Thu, Mar 24, 2016 at 10:31 AM, Lucas Käldström notifications@github.com
wrote:

The really big change here is that you need four binaries instead of one:
docker, runc, containerd, containerd-shim if I recall correctly.
That may cause issues


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#23397 (comment)

@yujuhong
Copy link
Contributor

We may want to put both containerd and docker into one cgroup to account for the resource usage.

@timstclair
Copy link

kube-proxy fails to come up. From /var/log/kube-proxy.log

Flag --resource-container has been deprecated, This feature will be removed in a later release.
I0324 23:56:52.790786       6 iptables.go:177] Could not connect to D-Bus system bus: dial unix /var/run/dbus/system_bus_socket: no such file or directory
I0324 23:56:52.790882       6 server.go:154] setting OOM scores is unsupported in this build
I0324 23:56:52.855289       6 server.go:200] Using iptables Proxier.
F0324 23:56:52.855424       6 server.go:208] Unable to create proxier: can't set sysctl net/ipv4/conf/all/route_localnet: open /proc/sys/net/ipv4/conf/all/route_localnet: read-only file system
...

@yujuhong
Copy link
Contributor

runc by default mounts /proc/sys as read-only (https://github.com/opencontainers/runc/blob/24950964ec70f18d18e767e9141d8d952efa416b/utils.go#L131)

The privileged container will need to unmount it to write to it. I added it to the manifest and kube-proxy seems to be working after that.

EDIT: I added umount /proc/sys as part of the command in the manifest file. The pod was up and running after that (i.e., not crashing anymore).

@vishh
Copy link
Contributor Author

vishh commented Mar 25, 2016

https://github.com/docker/docker/releases/tag/v1.11.0-rc2

@timstclair
Copy link

Results from running e2e tests on v1.11.0-rc2:

kubernetes-e2e-gce

Summarizing 6 Failures:

[Fail] [k8s.io] Addon update [BeforeEach] should propagate add-on file changes 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/addon_update.go:208

[Fail] [k8s.io] Horizontal pod autoscaling (scale resource: CPU) [k8s.io] ReplicationController light [It] Should scale from 1 pod to 2 pods 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/autoscaling_utils.go:325

[Fail] [k8s.io] Services [It] should be able to up and down services 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/service.go:248

[Fail] [k8s.io] SSH [It] should SSH to all nodes and run commands 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/ssh.go:65

[Fail] [k8s.io] Horizontal pod autoscaling (scale resource: CPU) [k8s.io] ReplicationController light [It] Should scale from 2 pods to 1 pod using HPA version v1 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/autoscaling_utils.go:325

[Fail] [k8s.io] Monitoring [It] should verify monitoring pods and all cluster nodes are available on influxdb using heapster. 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/util.go:1591

Ran 161 of 268 Specs in 5971.947 seconds
FAIL! -- 155 Passed | 6 Failed | 0 Pending | 107 Skipped --- FAIL: TestE2E (5972.33s)
FAIL

kubernetes-e2e-gce-serial

Summarizing 18 Failures:

[Fail] [k8s.io] Services [It] should work after restarting apiserver [Disruptive] 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/service.go:349

[Fail] [k8s.io] Nodes [Disruptive] [k8s.io] Network when a node becomes unreachable [It] All pods on the unreachable node should be marked as NotReady upon the node turn NotReady AND all pods should be mark back to Ready when the node get back to Ready before pod eviction timeout 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/util.go:3549

[Fail] [k8s.io] Horizontal pod autoscaling (scale resource: CPU) [k8s.io] [Serial] [Slow] ReplicationController [It] Should scale from 5 pods to 3 pods and from 3 to 1 and verify decision stability 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/autoscaling_utils.go:325

[Fail] [k8s.io] Etcd failure [Disruptive] [It] should recover from network partition with master 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/etcd_failure.go:93

[Fail] [k8s.io] DaemonRestart [Disruptive] [It] Kubelet should not restart containers across restart 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/daemon_restart.go:62

[Fail] [k8s.io] Horizontal pod autoscaling (scale resource: CPU) [k8s.io] [Serial] [Slow] Deployment [It] Should scale from 5 pods to 3 pods and from 3 to 1 and verify decision stability 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/autoscaling_utils.go:325

[Fail] [k8s.io] Etcd failure [Disruptive] [It] should recover from SIGKILL 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/etcd_failure.go:93

[Fail] [k8s.io] Services [It] should work after restarting kube-proxy [Disruptive] 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/service.go:307

[Fail] [k8s.io] Nodes [Disruptive] [k8s.io] Network when a node becomes unreachable [It] [replication controller] recreates pods scheduled on the unreachable node AND allows scheduling of pods on a node after it rejoins the cluster 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/util.go:3549

[Fail] [k8s.io] SchedulerPredicates [Serial] [It] validates MaxPods limit number of pods that are allowed to run [Slow] 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/util.go:2159

[Fail] [k8s.io] Horizontal pod autoscaling (scale resource: CPU) [k8s.io] [Serial] [Slow] ReplicationController [It] Should scale from 1 pod to 3 pods and from 3 to 5 and verify decision stability 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/autoscaling_utils.go:325

[Fail] [k8s.io] Horizontal pod autoscaling (scale resource: CPU) [k8s.io] [Serial] [Slow] Deployment [It] Should scale from 1 pod to 3 pods and from 3 to 5 and verify decision stability 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/autoscaling_utils.go:325

[Fail] [k8s.io] Horizontal pod autoscaling (scale resource: CPU) [k8s.io] [Serial] [Slow] ReplicaSet [It] Should scale from 1 pod to 3 pods and from 3 to 5 and verify decision stability 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/autoscaling_utils.go:325

[Fail] [k8s.io] Kubelet [Serial] [Slow] [k8s.io] regular resource usage tracking [It] for 100 pods per node over 20m0s 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/kubelet_perf.go:72

[Fail] [k8s.io] Kubelet [Serial] [Slow] [k8s.io] regular resource usage tracking [It] for 35 pods per node over 20m0s 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/kubelet_perf.go:143

[Fail] [k8s.io] DaemonRestart [Disruptive] [It] Controller Manager should not create/delete replicas across restart 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/daemon_restart.go:62

[Fail] [k8s.io] Horizontal pod autoscaling (scale resource: CPU) [k8s.io] [Serial] [Slow] ReplicaSet [It] Should scale from 5 pods to 3 pods and from 3 to 1 and verify decision stability 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/autoscaling_utils.go:325

[Fail] [k8s.io] DaemonRestart [Disruptive] [It] Scheduler should continue assigning pods to nodes across restart 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/daemon_restart.go:62

Ran 30 of 268 Specs in 9137.840 seconds
FAIL! -- 12 Passed | 18 Failed | 0 Pending | 238 Skipped --- FAIL: TestE2E (9138.18s)
FAIL

kubernetes-e2e-gce-slow

SUCCESS! -- 9 Passed | 0 Failed | 0 Pending | 259 Skipped PASS

Lots to look into here...

@timstclair timstclair mentioned this issue Mar 31, 2016
Closed
@vishh
Copy link
Contributor Author

vishh commented Apr 7, 2016

FYI: RC4 is out - Linux 64bit tgz: https://test.docker.com/builds/Linux/x86_64/docker-1.11.0-rc4.tgz

@yujuhong yujuhong mentioned this issue Apr 12, 2016
Closed
@timstclair
Copy link

Blocker: google/cadvisor#1206

@yujuhong
Copy link
Contributor

FYI, docker-containerd should probably be moved to the same cgroup that docker daemon is in so that we can account the resource overhead of containerd-shim, a per-container process. The containerd-shim uses about 3-5MB of memory and may be rewritten in C (xref: moby/moby#21737)

@timstclair
Copy link

FYI, docker v1.11 is released

@yujuhong
Copy link
Contributor

runc by default mounts /proc/sys as read-only (https://github.com/opencontainers/runc/blob/24950964ec70f18d18e767e9141d8d952efa416b/utils.go#L131)

The privileged container will need to unmount it to write to it. I added it to the manifest and kube-proxy seems to be working after that.

EDIT: I added umount /proc/sys as part of the command in the manifest file. The pod was up and running after that (i.e., not crashing anymore).

By the way, this should was already fixed by moby/moby#21751

@timstclair
Copy link

timstclair commented Apr 21, 2016
edited
Loading

Almost all tests passing, yay! Remaining failures are:

[Fail] [k8s.io] Kubelet [Serial] [Slow] [k8s.io] regular resource usage tracking [It] resource tracking for 35 pods per node 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/kubelet_perf.go:150

[Fail] [k8s.io] SchedulerPredicates [Serial] [It] validates MaxPods limit number of pods that are allowed to run [Slow] 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/util.go:2091

[Fail] [k8s.io] Kubelet [Serial] [Slow] [k8s.io] regular resource usage tracking [It] resource tracking for 100 pods per node 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/kubelet_perf.go:74

[Fail] [k8s.io] Kubelet [Serial] [Slow] [k8s.io] regular resource usage tracking [It] resource tracking for 0 pods per node 
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/kubelet_perf.go:150

3 of those are expected increases in memory usage (as described here). I think the other issue is just that my test cluster has insufficient disk quota (fails on master as well).

EDIT: Those results are with updated cAdvisor & go-dockerclient godeps, which still need to be merged.

@yujuhong
Copy link
Contributor

Almost all tests passing, yay!

Awesome!

3 of those are expected increases in memory usage (as described here). I think the other issue is just that my test cluster has insufficient disk quota (fails on master as well).

Just wanted to double-check: Is containerd in the same cgroup with docker? If so, we can check the memory increase and bump the limits in the test accordingly.

@thaJeztah thaJeztah mentioned this issue Apr 26, 2016
Closed
@bacongobbler bacongobbler mentioned this issue Apr 28, 2016
Closed
@timothysc
Copy link
Member

/cc @eparis - opinions?

@timstclair
Copy link

Performed manual restart tests, no issues found.

Tested the following with no apparent issues:

  • Kill docker daemon (sudo pkill -9 -f /usr/bin/dock[er]) while running steady state with lots of pause pods, wait and restart (sudo /etc/init.d/docker start)
  • Kill docker daemon while scaling pause (gcr.io/google_containers/pause) replication controller to 0 replicas. kubectl reports pods as terminated. Restart docker daemon, containers are quickly terminated.
  • Kill docker daemon while scaling pause rc to 200 replicas (3 node + 1 master cluster). Pods eventually report error status. Restart docker daemon, pods eventually report running.
  • All of the above on the master node
  • All of the above killing docker-containerd (it restarts automatically, with some backoff)

@timstclair
Copy link

timstclair commented May 5, 2016
edited
Loading

v1.9 results copied from this comment

Introduction
I benchmarked docker v1.11 using the docker micro benchmark tool.

Benchmark Environment

  • Cloud Provider: GCE
  • VM Instance: n1-standard-2 (2 vCPUs, 7.5 GB memory)
  • OS: Debian GNU/Linux 8.3 (jessie)
  • Docker version:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Tue Apr 26 23:11:07 2016
 OS/Arch:      linux/amd64

1. Benchmark list/inspect with varying number of containers

Using benchmark.sh -c

  • Latency
    • Docker 1.9.1
      latency-varies_container
    • Docker 1.11.1
      latency-varies_container
  • CPU Usage
    • Docker 1.9.1
      cpu
    • Docker 1.11.1
      cpu

2. Benchmark list/inspect with varying operation intervals

Using benchmark.sh -i

  • ps [all=true] Latency
    • Docker 1.9.1
      latency-list_all
    • Docker 1.11.1
      latency-list_all
  • ps [all=false] Latency
    • Docker 1.9.1
      latency-list_alive
    • Docker 1.11.1
      latency-list_alive
  • inspect Latency
    • Docker 1.9.1
      latency-inspect
    • Docker 1.11.1
      latency-inspect
  • CPU Usage
    • Docker 1.9.1
      cpu
    • Docker 1.11.1
      cpu

3. Benchmark list/inspect with varying number of goroutines

Using benchmark.sh -r

  • ps [all=true] Latency
    • Docker 1.9.1
      latency-list_all
    • Docker 1.11.1
      latency-list_all
  • inspect Latency
    • Docker 1.9.1
      latency-inspect
    • Docker 1.11.1
      latency-inspect
  • CPU Usage
    • Docker 1.9.1
      cpu
    • Docker 1.11.1
      cpu

Conclusion
Latency is significantly lower for list and inspect operations under docker 1.11.1, but CPU is much spikier (smoothed usage may be similar to 1.9.1).

@yujuhong
Copy link
Contributor

yujuhong commented May 5, 2016

Latency is significantly lower for list and inspect operations under docker 1.11.1, but CPU is much spikier (smoothed usage may be similar to 1.9.1). I will follow up with results including docker-containerd usage.

If it helps, I remember the docker-containerd cpu usage to be quite low that it's insignificant.

@timstclair
Copy link

Yeah, that's consistent with my findings. I've updated the graphs to include containerd.

@Random-Liu
Copy link
Member

Maybe the CPU spike is because docker processes request much faster than before, the benchmark sends more request in the same period.

@vishh
Copy link
Contributor Author

vishh commented May 20, 2016

We might want to bump /proc/sys/kernel/keys/root_maxbytes too. Seems to
be set to 20000 bytes by default.

On Fri, May 20, 2016 at 2:38 PM, Yu-Ju Hong notifications@github.com
wrote:

I also reproduced this with @dchen1107 https://github.com/dchen1107's
command on my node.
Bumping /proc/sys/kernel/keys/root_maxkeys worked for me, until the ip
addresses ran out.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#23397 (comment)

@timstclair
Copy link

I was able to reproduce this on a container VM GCE instance, but not on an ubuntu trusty instance (that I installed docker v1.11 on using curl -fsSL https://get.docker.com/ | sh)

@dchen1107 dchen1107 mentioned this issue May 20, 2016
Merged
@Random-Liu
Copy link
Member

Random-Liu commented May 21, 2016
edited
Loading

It's wried that docker micro benchmark #23397 (comment) didn't catch the error #23397 (comment).

I think there are 2 possible reasons:

  • docker micro benchmark starts at most 200 running containers in the test, which didn't hit the limit.
  • old docker micro benchmark didn't handle operation error properly, the errors are not reported.

kubernetes-retired/contrib#581 will add error rate statistics. I'll run new docker micro benchmark with 1.11 again.

@yujuhong
Copy link
Contributor

@Random-Liu, 200 running containers won't hit this case. In addition to that, one needs to run the benchmark using a containerVM instance to hit this case (or it depends on the settings on your desktop). We should get your PR in to at least surface the errors when running the microbenchmark

@dchen1107
Copy link
Member

@Random-Liu and I talked about this last week, and we are extending the test suite for this.

@Random-Liu
Copy link
Member

@dchen1107 ACK. Will increase the max container number in benchmark test.

@vishh
Copy link
Contributor Author

vishh commented May 25, 2016

@timstclair #23397 (comment) is still unresolved AFAIK.

@timstclair
Copy link

Ah, I missed that. Thanks.

k8s-github-robot pushed a commit that referenced this issue May 26, 2016
Merge pull request #26001 from dchen1107/docker
6a1abc1 
Automatic merge from submit-queue

Attempt 2: Bump GCE containerVM to container-v1-3-v20160517 (Docker 1.11.1) again.

Workaround the issue of small root_maxkeys on the debian based container-vm image, and bump our image to the new alpha version for docker 1.11.1 validation. 

ref: #23397 #25893

cc/ @vishh @timstclair
@timstclair timstclair mentioned this issue May 27, 2016
Merged
@dchen1107 dchen1107 mentioned this issue May 27, 2016
Closed
k8s-github-robot pushed a commit that referenced this issue May 28, 2016
Merge pull request #26391 from timstclair/containerd
f32b258 
Automatic merge from submit-queue

Move containerd process into docker cgroup for versions >= v1.11

Addresses #23397 (comment)

/cc @vishh @kubernetes/sig-node
@yujuhong
Copy link
Contributor

yujuhong commented Jun 2, 2016
edited
Loading

Docker 1.11.2 is out: https://github.com/docker/docker/releases/tag/v1.11.2

Fixes that may be relevant:

  • Fix a possible deadlock on image deletion and container attach
  • Fix an issue preventing container to be restarted after daemon restart
  • Fix an issue causing docker ps to hang on CentOS when using devicemapper
  • Fix a bug preventing to docker exec into a container when using devicemapper

@Random-Liu Random-Liu mentioned this issue Jun 2, 2016
Closed
@dchen1107 dchen1107 mentioned this issue Jun 8, 2016
Closed
This was referenced Jun 17, 2016
Closed
Closed
@dchen1107
Copy link
Member

@thockin reported https://github.com/docker/containerd/issues/275

@krancour krancour mentioned this issue Jul 8, 2016
Closed
@bgrant0607
Copy link
Member

@timstclair Is there anything left to do here?

@timstclair
Copy link

Nope, we've been defaulting to v1.11 on GCE / GKE since 1.3.

@Random-Liu Random-Liu mentioned this issue Sep 3, 2016
Closed
@aronchick aronchick mentioned this issue Sep 24, 2016
Closed
16 tasks
@dchen1107 dchen1107 mentioned this issue Sep 24, 2016
Merged
@dchen1107 dchen1107 mentioned this issue Nov 19, 2016
Closed
@dchen1107
Copy link
Member

Known issue of docker 1.11.X: #33882 (comment) by @mtaufen

This is theorized to be the fix in Docker: moby/moby#25523
That fix goes in with Docker 1.13.0.

This was referenced Feb 9, 2017
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timstclair timstclair

Labels
area/docker priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
next-candidate
Development

No branches or pull requests
9 participants
@spiffxp @timothysc @timstclair @luxas @Random-Liu @vishh @bgrant0607 @dchen1107 @yujuhong