Bug 1942837
| Summary: | [OCPv4.6] unable to deploy pod with unsafe sysctls | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Angelo Gabrieli <agabriel> |
| Component: | Node | Assignee: | Peter Hunt <pehunt> |
| Node sub component: | CRI-O | QA Contact: | MinLi <minmli> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | medium | CC: | aos-bugs, pehunt |
| Version: | 4.6 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-27 22:55:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Angelo Gabrieli
2021-03-25 07:38:45 UTC
can I have the crio logs from the affected node? crio.logs updated (with a private attachment). We have also the sosreport, please let me know if you need it sorry, I don't think these logs are from the correct node. I don't find "failed to cleanup" in it Hi Peter, that logs come from kubelet, for example: Mar 25 13:28:02 worker2.example hyperkube[1757]: E0325 13:28:02.275454 1757 remote_runtime.go:113] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to cleanup [/var/run/netns/0c85093d-661e-40c8-bdd5-499a6c3a416f /var/run/ipcns/0c85093d-661e-40c8-bdd5-499a6c3a416f /var/run/utsns/0c85093d-661e-40c8-bdd5-499a6c3a416f] after pinns failure exit status 1 Mar 25 13:28:02 worker2.example.com hyperkube[1757]: E0325 13:28:02.275509 1757 kuberuntime_sandbox.go:70] CreatePodSandbox for pod "base-pod_test-priv(0de8292b-6eae-43c7-b8f5-686285434920)" failed: rpc error: code = Unknown desc = failed to cleanup [/var/run/netns/0c85093d-661e-40c8-bdd5-499a6c3a416f /var/run/ipcns/0c85093d-661e-40c8-bdd5-499a6c3a416f /var/run/utsns/0c85093d-661e-40c8-bdd5-499a6c3a416f] after pinns failure exit status 1 Mar 25 13:28:02 worker2.example.com hyperkube[1757]: E0325 13:28:02.275520 1757 kuberuntime_manager.go:741] createPodSandbox for pod "base-pod_test-priv(0de8292b-6eae-43c7-b8f5-686285434920)" failed: rpc error: code = Unknown desc = failed to cleanup [/var/run/netns/0c85093d-661e-40c8-bdd5-499a6c3a416f /var/run/ipcns/0c85093d-661e-40c8-bdd5-499a6c3a416f /var/run/utsns/0c85093d-661e-40c8-bdd5-499a6c3a416f] after pinns failure exit status 1 I'm going to attach the sosreport what sysctl are you trying to use exactly? It would be useful to me to have the pod spec of the failing pod creation Those are the sysctls:
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
- name: net.ipv4.route.min_pmtu
value: "552"
- name: kernel.msgmax
value: "65536"
didn't have time this sprint, hopefully I will next I finally got a chance to look at this. It is not clear this has *ever* worked. The error is coming from the fact that min_ptmu is a host-only sysctl, and is not available in a network namespace. One can see this by doing `sudo unshare -n -- sysctl -a | grep min_ptmu` I am pretty sure this example was borrowed from usptream kube docs, which have since been updated: https://github.com/kubernetes/website/pull/15248 Thus, I have submitted a fix to the documentation (attached). It should likely be backported to all supported versions verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |