Kube-proxy facing locking timeout in large clusters during load test with services enabled #48107
Comments
k8s-ci-robot
added
sig/network
|
fyi, the logs for the run are here - http://gcsweb.k8s.io/gcs/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-enormous-cluster/10/ |
|
I suspect other components are holding the lock and fail to release. |
|
Linking issue #47344 for tracking. |
|
cc @wojtek-t |
|
Are the nodes running on CVM or COS? It looks like it is running on CVM, right? |
|
Is there anyway we can execute |
|
It looks like iptables util cannot open a specific linux domain socket. I suspect kube-proxy failed to close it during one run. Not sure why. I will send a PR to expose the error soon. |
|
@freehan The nodes were running on gci (which I guess is the same as cos). Ref: https://github.com/kubernetes/test-infra/blob/master/jobs/ci-kubernetes-e2e-gce-enormous-cluster.env#L33 |
Automatic merge from submit-queue (batch tested with PRs 47234, 48410, 48514, 48529, 48348) expose error lock release failure from iptables util ref: #48107
|
May be related #45385. I tried to find the dashboard where the enormous node test + services-enabled is. Can anyone provide a pointer to the testgrid runs? |
|
The job for gce 5k-node performance test - https://k8s-testgrid.appspot.com/google-gce-scale#gce-scale-performance |
|
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
k8s-ci-robot
added
the
lifecycle/stale
|
@shyamjvs does this remain an issue? |
|
I think that it actually still is. |
|
/lifecycle frozen |
k8s-ci-robot
added
the
lifecycle/frozen
|
/remove-lifecycle frozen |
k8s-ci-robot
removed
the
lifecycle/frozen
|
whoops, I meant |
k8s-ci-robot
added
lifecycle/frozen
|
@danwinship - given all the above, I think the only open question that I still have is: |
|
docker does iptables stuff internally in some cases, so that might be it. Your network plugin might also be doing stuff as part of pod setup. |
|
I've sent the above PR to experiment with ipvs in our scalability tests (as it seems GA now). The above problem with iptables might just become obsolete in case we're going to make a switch later. |
thockin
added
the
triage/unresolved
|
@shyamjvs If you aren't able to handle this issue, consider unassigning yourself and/or adding the 🤖 I am a bot run by vllry. 👩🔬 |
|
reopen if needed |
|
Hmm - it still seems to be an issue - it was actually the main reason why we had to revert: #77541 |
|
@shyamjvs If you aren't able to handle this issue, consider unassigning yourself and/or adding the 🤖 I am a bot run by vllry. 👩🔬 |
1 similar comment
|
@shyamjvs If you aren't able to handle this issue, consider unassigning yourself and/or adding the 🤖 I am a bot run by vllry. 👩🔬 |
|
/remove-triage unresolved |
k8s-ci-robot
removed
the
triage/unresolved
|
Filed #80061 for metrics enhancements. |
4.14. (I can't remember exactly). |
|
Hello, I am seeing this issue in my proxy pods: Any solutions on this? Let me know if you need more info |
|
are you using the CNI portmap plugin? |
|
Hi. We are using NSX-T CNI. |
|
I think that there can be multiple reasons, I can share what I did to find a problem with the portmap plugin holding the lock. I just patched the kubelet 22665fc to log the pid of the process, then I monitored kube-proxy to trigger an script when it finds the error message
that dumps all the processes so you can check "who" was holding the lock Hope this can be useful |
|
Thank you! I will try this. |
|
yeah, that one |
|
I think we can close this; multiple performance improvements in the kernel iptables/nftables code, improvements in iptables-nft, and the move to default to the IPVS proxy make iptables lock contention much less of an issue. If we do still see this, we can re-open. /close |
|
@dcbw: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Follows from discussion in #48052
We noticed this while performing load test on 4000 node clusters with services enabled. The iptables restore step in the proxier fails with:
And the reason quite likely is because of "huge" size of iptables (tens of MBs) as we run 30 pods per node and each pod is part of exactly one service
=> 30 * 4000 = 120k service endpoints (and these updates happen on all 4000 nodes)
cc @kubernetes/sig-network-misc @kubernetes/sig-scalability-misc @danwinship @wojtek-t
The text was updated successfully, but these errors were encountered: