1000 node cluster, 1 kube-proxy comes up with "open /sys/module/nf_conntrack/parameters/hashsize: read-only file system"

[zmerlynn]

I just brought up a 1000 node cluster, and had one node with kube-proxy flapping in the following manner:

Flag --resource-container has been deprecated, This feature will be removed in a later release.
I0414 21:09:01.727378       5 iptables.go:177] Could not connect to D-Bus system bus: dial unix /var/run/dbus/system_bus_socket: connect: no such file or directory
I0414 21:09:01.727453       5 server.go:154] setting OOM scores is unsupported in this build
I0414 21:09:01.778461       5 server.go:200] Using iptables Proxier.
I0414 21:09:01.778514       5 proxier.go:205] missing br-netfilter module or unset br-nf-call-iptables; proxy may not work as intended
I0414 21:09:01.778537       5 server.go:213] Tearing down userspace rules.
I0414 21:09:01.789946       5 conntrack.go:36] Setting nf_conntrack_max to 262144
I0414 21:09:01.789985       5 conntrack.go:41] Setting conntrack hashsize to 65536
open /sys/module/nf_conntrack/parameters/hashsize: read-only file system
Flag --resource-container has been deprecated, This feature will be removed in a later release.
I0414 21:09:02.770482       5 iptables.go:177] Could not connect to D-Bus system bus: dial unix /var/run/dbus/system_bus_socket: connect: no such file or directory
I0414 21:09:02.770529       5 server.go:154] setting OOM scores is unsupported in this build
I0414 21:09:02.802022       5 server.go:200] Using iptables Proxier.
I0414 21:09:02.802068       5 proxier.go:205] missing br-netfilter module or unset br-nf-call-iptables; proxy may not work as intended
I0414 21:09:02.802089       5 server.go:213] Tearing down userspace rules.
I0414 21:09:02.812183       5 conntrack.go:36] Setting nf_conntrack_max to 262144
I0414 21:09:02.812243       5 conntrack.go:41] Setting conntrack hashsize to 65536
open /sys/module/nf_conntrack/parameters/hashsize: read-only file system
Flag --resource-container has been deprecated, This feature will be removed in a later release.
I0414 21:09:16.992945       6 iptables.go:177] Could not connect to D-Bus system bus: dial unix /var/run/dbus/system_bus_socket: connect: no such file or directory
I0414 21:09:16.993003       6 server.go:154] setting OOM scores is unsupported in this build
I0414 21:09:17.024283       6 server.go:200] Using iptables Proxier.
I0414 21:09:17.024313       6 proxier.go:205] missing br-netfilter module or unset br-nf-call-iptables; proxy may not work as intended
I0414 21:09:17.024327       6 server.go:213] Tearing down userspace rules.
I0414 21:09:17.032319       6 conntrack.go:36] Setting nf_conntrack_max to 262144
I0414 21:09:17.032350       6 conntrack.go:41] Setting conntrack hashsize to 65536
open /sys/module/nf_conntrack/parameters/hashsize: read-only file system

I compared this to a working kube-proxy, and it's clear that the open /sys/module/nf_conntrack/parameters/hashsize: read-only file system is obviously failing. dmesg is showing:

[ 6882.619004] aufs au_opts_verify:1570:docker[6990]: dirperm1 breaks the protection by the permission bits on the lower branch

Could possibly be related to openshift/origin#7977

Keeping it around for posterity, but this is kind of an expensive cluster.

[thockin]

Why is /sys read-only? What version of Docker is it?

try docker ps | grep kube-proxy | cut -f1 -d' ' | xargs docker inspect

[zmerlynn]

This is v1.3.0-alpha.2.123+d800dca7f8d4a4, docker 1.9.1. That docker ps only pulls up the pause pod, unfortunately (it's crashlooping fast).

And yes, that's our mystery, too. I'm trying to figure out if docker is screwing us on this node.

[zmerlynn]

Grabbing the exited container now, just remembered.

[zmerlynn]

Here's ~~~one~~~ two of them:

{
    "Id": "12c22eb9545512407ccd383075b8a908907c47bb2ecb964ed6156c52b5abbf41",
    "Created": "2016-04-15T00:28:45.791217958Z",
    "Path": "/bin/sh",
    "Args": [
        "-c",
        "kube-proxy --master=https://146.148.51.87 --kubeconfig=/var/lib/kube-proxy/kubeconfig --resource-container=\"\" --v=
2  1\u003e\u003e/var/log/kube-proxy.log 2\u003e\u00261"
    ],
    "State": {
        "Status": "exited",
        "Running": false,
        "Paused": false,
        "Restarting": false,
        "OOMKilled": false,
        "Dead": false,
        "Pid": 0,
        "ExitCode": 1,
        "Error": "",
        "StartedAt": "2016-04-15T00:28:45.982783832Z",
        "FinishedAt": "2016-04-15T00:28:46.101871748Z"
    },
    "Image": "9c35f0974faba3b67cc31f07388323d8a7696b34ad277e799aa2f18d3b9cf3c3",
    "ResolvConfPath": "/var/lib/docker/containers/571571b8c0f8d814f84712a090d8996715bd386a2ab5b75f791949bb0e435e3b/resolv.con
f",
    "HostnamePath": "/var/lib/docker/containers/571571b8c0f8d814f84712a090d8996715bd386a2ab5b75f791949bb0e435e3b/hostname",
    "HostsPath": "/var/lib/docker/containers/571571b8c0f8d814f84712a090d8996715bd386a2ab5b75f791949bb0e435e3b/hosts",
    "LogPath": "/var/lib/docker/containers/12c22eb9545512407ccd383075b8a908907c47bb2ecb964ed6156c52b5abbf41/12c22eb9545512407
ccd383075b8a908907c47bb2ecb964ed6156c52b5abbf41-json.log",
    "Name": "/k8s_kube-proxy.2858f3a2_kube-proxy-gke-zml-test-1000-default-pool-26a68b7c-8nbd_kube-system_593cc7c4600ba686dbb
ec97628a64929_c9c903c8",
    "RestartCount": 0,
    "Driver": "aufs",
    "ExecDriver": "native-0.2",
    "MountLabel": "",
    "ProcessLabel": "",
    "AppArmorProfile": "",
    "ExecIDs": null,
    "HostConfig": {
        "Binds": [
            "/usr/share/ca-certificates:/etc/ssl/certs:ro",
            "/var/log:/var/log",
            "/var/lib/kube-proxy/kubeconfig:/var/lib/kube-proxy/kubeconfig",
            "/var/lib/kubelet/pods/593cc7c4600ba686dbbec97628a64929/containers/kube-proxy/c9c903c8:/dev/termination-log"
        ],
        "ContainerIDFile": "",
        "LxcConf": null,
        "Memory": 0,
        "MemoryReservation": 0,
        "MemorySwap": -1,
        "KernelMemory": 0,
        "CpuShares": 20,
        "CpuPeriod": 0,
        "CpusetCpus": "",
        "CpusetMems": "",
        "CpuQuota": 0,
        "BlkioWeight": 0,
        "OomKillDisable": false,
        "MemorySwappiness": null,
        "Privileged": true,
        "PortBindings": null,
        "Links": null,
        "PublishAllPorts": false,
        "Dns": null,
        "DnsOptions": null,
        "DnsSearch": null,
        "ExtraHosts": null,
        "VolumesFrom": null,
        "Devices": null,
        "NetworkMode": "container:571571b8c0f8d814f84712a090d8996715bd386a2ab5b75f791949bb0e435e3b",
        "IpcMode": "container:571571b8c0f8d814f84712a090d8996715bd386a2ab5b75f791949bb0e435e3b",
        "PidMode": "",
        "UTSMode": "host",
        "CapAdd": null,
        "CapDrop": null,
        "GroupAdd": null,
        "RestartPolicy": {
            "Name": "",
            "MaximumRetryCount": 0
        },
        "SecurityOpt": null,
        "ReadonlyRootfs": false,
        "Ulimits": null,
        "LogConfig": {
            "Type": "json-file",
            "Config": {}
        },
        "CgroupParent": "/",
        "ConsoleSize": [
            0,
            0
        ],
        "VolumeDriver": ""
    },
    "GraphDriver": {
        "Name": "aufs",
        "Data": null
    },
    "Mounts": [
        {
            "Source": "/usr/share/ca-certificates",
            "Destination": "/etc/ssl/certs",
            "Mode": "ro",
            "RW": false
        },
        {
            "Source": "/var/log",
            "Destination": "/var/log",
            "Mode": "",
            "RW": true
        },
        {
            "Source": "/var/lib/kube-proxy/kubeconfig",
            "Destination": "/var/lib/kube-proxy/kubeconfig",
            "Mode": "",
            "RW": true
        },
        {
            "Source": "/var/lib/kubelet/pods/593cc7c4600ba686dbbec97628a64929/containers/kube-proxy/c9c903c8",
            "Destination": "/dev/termination-log",
            "Mode": "",
            "RW": true
        }
    ],
    "Config": {
        "Hostname": "gke-zml-test-1000-default-pool-26a68b7c-8nbd",
        "Domainname": "",
        "User": "",
        "AttachStdin": false,
        "AttachStdout": false,
        "AttachStderr": false,
        "Tty": false,
        "OpenStdin": false,
        "StdinOnce": false,
        "Env": [
            "KUBERNETES_DASHBOARD_SERVICE_HOST=10.39.244.160",
            "KUBERNETES_DASHBOARD_PORT_80_TCP_ADDR=10.39.244.160",
            "KUBE_DNS_SERVICE_PORT_DNS_TCP=53",
            "HEAPSTER_PORT_80_TCP_PROTO=tcp",
            "DEFAULT_HTTP_BACKEND_PORT_80_TCP_ADDR=10.39.246.187",
            "HEAPSTER_PORT_80_TCP_ADDR=10.39.249.24",
            "KUBE_DNS_SERVICE_HOST=10.39.240.10",
            "KUBE_DNS_PORT=udp://10.39.240.10:53",
            "KUBE_DNS_PORT_53_TCP=tcp://10.39.240.10:53",
            "KUBE_DNS_PORT_53_TCP_PROTO=tcp",
            "KUBERNETES_SERVICE_PORT=443",
            "KUBERNETES_DASHBOARD_SERVICE_PORT=80",
            "HEAPSTER_PORT_80_TCP_PORT=80",
            "DEFAULT_HTTP_BACKEND_PORT_80_TCP=tcp://10.39.246.187:80",
            "DEFAULT_HTTP_BACKEND_PORT_80_TCP_PROTO=tcp",
            "KUBERNETES_DASHBOARD_PORT=tcp://10.39.244.160:80",
            "KUBERNETES_DASHBOARD_PORT_80_TCP=tcp://10.39.244.160:80",
            "KUBE_DNS_PORT_53_UDP_PORT=53",
            "KUBERNETES_SERVICE_PORT_HTTPS=443",
            "DEFAULT_HTTP_BACKEND_SERVICE_HOST=10.39.246.187",
            "KUBERNETES_PORT_443_TCP_PORT=443",
            "HEAPSTER_SERVICE_HOST=10.39.249.24",
            "HEAPSTER_PORT=tcp://10.39.249.24:80",
            "KUBE_DNS_PORT_53_UDP_PROTO=udp",
            "KUBE_DNS_PORT_53_UDP_ADDR=10.39.240.10",
            "KUBE_DNS_PORT_53_TCP_PORT=53",
            "KUBE_DNS_PORT_53_TCP_ADDR=10.39.240.10",
            "KUBERNETES_PORT_443_TCP_PROTO=tcp",
            "KUBE_DNS_SERVICE_PORT=53",
            "KUBERNETES_PORT_443_TCP_ADDR=10.39.240.1",
            "HEAPSTER_SERVICE_PORT=80",
            "DEFAULT_HTTP_BACKEND_PORT=tcp://10.39.246.187:80",
            "KUBERNETES_DASHBOARD_PORT_80_TCP_PROTO=tcp",
            "DEFAULT_HTTP_BACKEND_SERVICE_PORT=80",
            "DEFAULT_HTTP_BACKEND_SERVICE_PORT_HTTP=80",
            "KUBERNETES_PORT_443_TCP=tcp://10.39.240.1:443",
            "HEAPSTER_PORT_80_TCP=tcp://10.39.249.24:80",
            "DEFAULT_HTTP_BACKEND_PORT_80_TCP_PORT=80",
            "KUBERNETES_DASHBOARD_PORT_80_TCP_PORT=80",
            "KUBE_DNS_SERVICE_PORT_DNS=53",
            "KUBE_DNS_PORT_53_UDP=udp://10.39.240.10:53",
            "KUBERNETES_SERVICE_HOST=10.39.240.1",
            "KUBERNETES_PORT=tcp://10.39.240.1:443",
            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "Cmd": null,
        "Image": "gcr.io/google_containers/kube-proxy:8b05000df15f495bb5654b4b094af85f",
        "Volumes": null,
        "WorkingDir": "",
        "Entrypoint": [
            "/bin/sh",
            "-c",
            "kube-proxy --master=https://146.148.51.87 --kubeconfig=/var/lib/kube-proxy/kubeconfig --resource-container=\"\" --v=2  1\u003e\u003e/var/log/kube-proxy.log 2\u003e\u00261"
        ],
        "OnBuild": null,
        "Labels": {
            "io.kubernetes.container.hash": "2858f3a2",
            "io.kubernetes.container.name": "kube-proxy",
            "io.kubernetes.container.restartCount": "44",
            "io.kubernetes.container.terminationMessagePath": "/dev/termination-log",
            "io.kubernetes.pod.name": "kube-proxy-gke-zml-test-1000-default-pool-26a68b7c-8nbd",
            "io.kubernetes.pod.namespace": "kube-system",
            "io.kubernetes.pod.terminationGracePeriod": "30",
            "io.kubernetes.pod.uid": "593cc7c4600ba686dbbec97628a64929"
        }
    },
    "NetworkSettings": {
        "Bridge": "",
        "SandboxID": "",
        "HairpinMode": false,
        "LinkLocalIPv6Address": "",
        "LinkLocalIPv6PrefixLen": 0,
        "Ports": null,
        "SandboxKey": "",
        "SecondaryIPAddresses": null,
        "SecondaryIPv6Addresses": null,
        "EndpointID": "",
        "Gateway": "",
        "GlobalIPv6Address": "",
        "GlobalIPv6PrefixLen": 0,
        "IPAddress": "",
        "IPPrefixLen": 0,
        "IPv6Gateway": "",
        "MacAddress": "",
        "Networks": null
    }
}
,{
    "Id": "473d04fc4818080dff8f4a3253e2df360f48b31c1d0ce654e2122a3294ebbe23",
    "Created": "2016-04-15T00:23:34.799406831Z",
    "Path": "/bin/sh",
    "Args": [
        "-c",
        "kube-proxy --master=https://146.148.51.87 --kubeconfig=/var/lib/kube-proxy/kubeconfig --resource-container=\"\" --v=2  1\u003e\u003e/var/log/kube-proxy.log 2\u003e\u00261"
    ],
    "State": {
        "Status": "exited",
        "Running": false,
        "Paused": false,
        "Restarting": false,
        "OOMKilled": false,
        "Dead": false,
        "Pid": 0,
        "ExitCode": 1,
        "Error": "",
        "StartedAt": "2016-04-15T00:23:34.990771358Z",
        "FinishedAt": "2016-04-15T00:23:35.108957151Z"
    },
    "Image": "9c35f0974faba3b67cc31f07388323d8a7696b34ad277e799aa2f18d3b9cf3c3",
    "ResolvConfPath": "/var/lib/docker/containers/571571b8c0f8d814f84712a090d8996715bd386a2ab5b75f791949bb0e435e3b/resolv.conf",
    "HostnamePath": "/var/lib/docker/containers/571571b8c0f8d814f84712a090d8996715bd386a2ab5b75f791949bb0e435e3b/hostname",
    "HostsPath": "/var/lib/docker/containers/571571b8c0f8d814f84712a090d8996715bd386a2ab5b75f791949bb0e435e3b/hosts",
    "LogPath": "/var/lib/docker/containers/473d04fc4818080dff8f4a3253e2df360f48b31c1d0ce654e2122a3294ebbe23/473d04fc4818080dff8f4a3253e2df360f48b31c1d0ce654e2122a3294ebbe23-json.log",
    "Name": "/k8s_kube-proxy.2858f3a2_kube-proxy-gke-zml-test-1000-default-pool-26a68b7c-8nbd_kube-system_593cc7c4600ba686dbbec97628a64929_7bfa6a3d",
    "RestartCount": 0,
    "Driver": "aufs",
    "ExecDriver": "native-0.2",
    "MountLabel": "",
    "ProcessLabel": "",
    "AppArmorProfile": "",
    "ExecIDs": null,
    "HostConfig": {
        "Binds": [
            "/usr/share/ca-certificates:/etc/ssl/certs:ro",
            "/var/log:/var/log",
            "/var/lib/kube-proxy/kubeconfig:/var/lib/kube-proxy/kubeconfig",
            "/var/lib/kubelet/pods/593cc7c4600ba686dbbec97628a64929/containers/kube-proxy/7bfa6a3d:/dev/termination-log"
        ],
        "ContainerIDFile": "",
        "LxcConf": null,
        "Memory": 0,
        "MemoryReservation": 0,
        "MemorySwap": -1,
        "KernelMemory": 0,
        "CpuShares": 20,
        "CpuPeriod": 0,
        "CpusetCpus": "",
        "CpusetMems": "",
        "CpuQuota": 0,
        "BlkioWeight": 0,
        "OomKillDisable": false,
        "MemorySwappiness": null,
        "Privileged": true,
        "PortBindings": null,
        "Links": null,
        "PublishAllPorts": false,
        "Dns": null,
        "DnsOptions": null,
        "DnsSearch": null,
        "ExtraHosts": null,
        "VolumesFrom": null,
        "Devices": null,
        "NetworkMode": "container:571571b8c0f8d814f84712a090d8996715bd386a2ab5b75f791949bb0e435e3b",
        "IpcMode": "container:571571b8c0f8d814f84712a090d8996715bd386a2ab5b75f791949bb0e435e3b",
        "PidMode": "",
        "UTSMode": "host",
        "CapAdd": null,
        "CapDrop": null,
        "GroupAdd": null,
        "RestartPolicy": {
            "Name": "",
            "MaximumRetryCount": 0
        },
        "SecurityOpt": null,
        "ReadonlyRootfs": false,
        "Ulimits": null,
        "LogConfig": {
            "Type": "json-file",
            "Config": {}
        },
        "CgroupParent": "/",
        "ConsoleSize": [
            0,
            0
        ],
        "VolumeDriver": ""
    },
    "GraphDriver": {
        "Name": "aufs",
        "Data": null
    },
    "Mounts": [
        {
            "Source": "/usr/share/ca-certificates",
            "Destination": "/etc/ssl/certs",
            "Mode": "ro",
            "RW": false
        },
        {
            "Source": "/var/log",
            "Destination": "/var/log",
            "Mode": "",
            "RW": true
        },
        {
            "Source": "/var/lib/kube-proxy/kubeconfig",
            "Destination": "/var/lib/kube-proxy/kubeconfig",
            "Mode": "",
            "RW": true
        },
        {
            "Source": "/var/lib/kubelet/pods/593cc7c4600ba686dbbec97628a64929/containers/kube-proxy/7bfa6a3d",
            "Destination": "/dev/termination-log",
            "Mode": "",
            "RW": true
        }
    ],
    "Config": {
        "Hostname": "gke-zml-test-1000-default-pool-26a68b7c-8nbd",
        "Domainname": "",
        "User": "",
        "AttachStdin": false,
        "AttachStdout": false,
        "AttachStderr": false,
        "Tty": false,
        "OpenStdin": false,
        "StdinOnce": false,
        "Env": [
            "KUBE_DNS_PORT_53_TCP_ADDR=10.39.240.10",
            "KUBERNETES_SERVICE_PORT_HTTPS=443",
            "HEAPSTER_SERVICE_PORT=80",
            "HEAPSTER_PORT_80_TCP_PROTO=tcp",
            "HEAPSTER_PORT=tcp://10.39.249.24:80",
            "HEAPSTER_PORT_80_TCP_PORT=80",
            "KUBERNETES_DASHBOARD_PORT=tcp://10.39.244.160:80",
            "KUBERNETES_DASHBOARD_PORT_80_TCP_PROTO=tcp",
            "DEFAULT_HTTP_BACKEND_SERVICE_PORT_HTTP=80",
            "KUBERNETES_PORT=tcp://10.39.240.1:443",
            "KUBERNETES_PORT_443_TCP_PROTO=tcp",
            "KUBERNETES_DASHBOARD_SERVICE_PORT=80",
            "KUBE_DNS_SERVICE_HOST=10.39.240.10",
            "DEFAULT_HTTP_BACKEND_PORT=tcp://10.39.246.187:80",
            "KUBERNETES_PORT_443_TCP=tcp://10.39.240.1:443",
            "KUBE_DNS_SERVICE_PORT=53",
            "KUBE_DNS_SERVICE_PORT_DNS_TCP=53",
            "KUBE_DNS_PORT_53_UDP_PROTO=udp",
            "KUBE_DNS_PORT_53_UDP_PORT=53",
            "KUBE_DNS_PORT_53_TCP_PORT=53",
            "KUBERNETES_PORT_443_TCP_ADDR=10.39.240.1",
            "HEAPSTER_PORT_80_TCP=tcp://10.39.249.24:80",
            "KUBERNETES_DASHBOARD_PORT_80_TCP_PORT=80",
            "KUBE_DNS_PORT_53_UDP=udp://10.39.240.10:53",
            "DEFAULT_HTTP_BACKEND_SERVICE_PORT=80",
            "DEFAULT_HTTP_BACKEND_PORT_80_TCP_PORT=80",
            "KUBERNETES_SERVICE_PORT=443",
            "KUBERNETES_PORT_443_TCP_PORT=443",
            "KUBERNETES_DASHBOARD_PORT_80_TCP_ADDR=10.39.244.160",
            "KUBE_DNS_SERVICE_PORT_DNS=53",
            "KUBE_DNS_PORT_53_TCP=tcp://10.39.240.10:53",
            "DEFAULT_HTTP_BACKEND_PORT_80_TCP_ADDR=10.39.246.187",
            "KUBERNETES_SERVICE_HOST=10.39.240.1",
            "KUBE_DNS_PORT_53_UDP_ADDR=10.39.240.10",
            "DEFAULT_HTTP_BACKEND_SERVICE_HOST=10.39.246.187",
            "HEAPSTER_SERVICE_HOST=10.39.249.24",
            "HEAPSTER_PORT_80_TCP_ADDR=10.39.249.24",
            "DEFAULT_HTTP_BACKEND_PORT_80_TCP_PROTO=tcp",
            "KUBERNETES_DASHBOARD_SERVICE_HOST=10.39.244.160",
            "KUBERNETES_DASHBOARD_PORT_80_TCP=tcp://10.39.244.160:80",
            "KUBE_DNS_PORT=udp://10.39.240.10:53",
            "KUBE_DNS_PORT_53_TCP_PROTO=tcp",
            "DEFAULT_HTTP_BACKEND_PORT_80_TCP=tcp://10.39.246.187:80",
            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "Cmd": null,
        "Image": "gcr.io/google_containers/kube-proxy:8b05000df15f495bb5654b4b094af85f",
        "Volumes": null,
        "WorkingDir": "",
        "Entrypoint": [
            "/bin/sh",
            "-c",
            "kube-proxy --master=https://146.148.51.87 --kubeconfig=/var/lib/kube-proxy/kubeconfig --resource-container=\"\" --v=2  1\u003e\u003e/var/log/kube-proxy.log 2\u003e\u00261"
        ],
        "OnBuild": null,
        "Labels": {
            "io.kubernetes.container.hash": "2858f3a2",
            "io.kubernetes.container.name": "kube-proxy",
            "io.kubernetes.container.restartCount": "43",
            "io.kubernetes.container.terminationMessagePath": "/dev/termination-log",
            "io.kubernetes.pod.name": "kube-proxy-gke-zml-test-1000-default-pool-26a68b7c-8nbd",
            "io.kubernetes.pod.namespace": "kube-system",
            "io.kubernetes.pod.terminationGracePeriod": "30",
            "io.kubernetes.pod.uid": "593cc7c4600ba686dbbec97628a64929"
        }
    },
    "NetworkSettings": {
        "Bridge": "",
        "SandboxID": "",
        "HairpinMode": false,
        "LinkLocalIPv6Address": "",
        "LinkLocalIPv6PrefixLen": 0,
        "Ports": null,
        "SandboxKey": "",
        "SecondaryIPAddresses": null,
        "SecondaryIPv6Addresses": null,
        "EndpointID": "",
        "Gateway": "",
        "GlobalIPv6Address": "",
        "GlobalIPv6PrefixLen": 0,
        "IPAddress": "",
        "IPPrefixLen": 0,
        "IPv6Gateway": "",
        "MacAddress": "",
        "Networks": null
    }
}

[thockin]

Cutting out unrelated stuff.

docker run -ti --privileged --net=host busybox mount | grep ^sysfs

On this machine: sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
On my own machine: sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)

Both are docker 1.9.1, built Fri Nov 20 17:56:04 UTC 2015

Both are same kernel

?????

[thockin]

I want to try a reboot or docker restart, but I am afraid it will fix the problem...

[zmerlynn]

Yeah, funny, we were trying similar experiments just now. :)

[thockin]

moby/moby#7101 ???

[thockin]

Perhaps we need to add this as part of a node test suite? @dchen1107 @yujuhong

[zmerlynn]

Pinged the Docker bug. Yes, it might be valuable if the docker-checker could check this .. I was able to kill Docker and everything came back clean.

[yujuhong]

Perhaps we need to add this as part of a node test suite? @dchen1107 @yujuhong

If you mean the node e2e suite, yes, we can add checks to see if the mounts are correct in a privileged container.
In this particular, it's a one in a thousand flake, so we may not be able to catch it reliably.

Pinged the Docker bug. Yes, it might be valuable if the docker-checker could check this .. I was able to kill Docker and everything came back clean.

This requires a different type of check that performs docker write operations (e.g., creating dockers containers periodically). We talked about it briefly before v1.2, but didn't have time to act on it. I am not sure if this is in the scope of the "problem API" targeted for v1.3 (/cc @dchen1107 @Random-Liu).

[thockin]

Are we going to have a docker health checker on nodes? This could be one
of the health probes, restarting docker if it fails...
On Apr 14, 2016 6:16 PM, "Yu-Ju Hong" notifications@github.com wrote:

Perhaps we need to add this as part of a node test suite? @dchen1107
https://github.com/dchen1107 @yujuhong https://github.com/yujuhong

If you mean the node e2e suite, yes, we can add checks to see if the
mounts are correct in a privileged container.
In this particular, it's a one in a thousand flake, so we may not be able
to catch it reliably.

Pinged the Docker bug. Yes, it might be valuable if the docker-checker
could check this .. I was able to kill Docker and everything came back
clean.

This requires a different type of check that performs docker write
operations (e.g., creating dockers containers periodically). We talked
about it briefly before v1.2, but didn't have time to act on it. I am not
sure if this is in the scope of the "problem API" targeted for v1.3 (/cc
@dchen1107 https://github.com/dchen1107 @Random-Liu
https://github.com/Random-Liu).

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#24295 (comment)

[thockin]

Why did you close this?
On Apr 14, 2016 9:28 PM, "Lantao Liu" notifications@github.com wrote:

Closed #24295 #24295.

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#24295 (comment)

[Random-Liu]

? I didn't do that???

[Random-Liu]

Maybe misclick... Sorry about that... :(
Reopen it.

[yujuhong]

Are we going to have a docker health checker on nodes? This could be one
of the health probes, restarting docker if it fails...

We talked about having an API so that kubelet can aggregate various issues from independent health checkers on the machines and surface the information. This could include a docker (or any container runtime) health checker. Now that I think about it, restarting/fixing the problem may not be part of the original scope. @dchen1107 had stronger opinions on this though.

[zmerlynn]

This is showing up very frequently on 1000 node clusters. Or at least, a symptom like it, in that kube-proxy isn't coming up:

10:33:00 May  2 10:32:32.049: INFO: Running kubectl logs on non-ready containers in kube-system
10:33:00 STEP: Logs of kube-system/kube-proxy-gke-jenkins-e2e-default-pool-7377264e-ebyv:kube-proxy on node gke-jenkins-e2e-default-pool-7377264e-ebyv
10:33:00 May  2 10:32:32.065: INFO: 
10:33:00 STEP: Logs of kube-system/kube-proxy-gke-jenkins-e2e-default-pool-7377264e-fvtu:kube-proxy on node gke-jenkins-e2e-default-pool-7377264e-fvtu
10:33:00 May  2 10:32:32.083: INFO: 
10:33:00 STEP: Logs of kube-system/kube-proxy-gke-jenkins-e2e-default-pool-7377264e-gffl:kube-proxy on node gke-jenkins-e2e-default-pool-7377264e-gffl
10:33:00 May  2 10:32:32.098: INFO: 

It's enough that this needs to be considered a priority for scalability work.

[thockin]

Update the docker bug?

[webwurst]

I get this error message always when i try starting kube-proxy on docker-in-docker although --privileged is used. As a workaround using --conntrack-max=0 with kube-proxy helps.

[zmerlynn]

This is going to need attention before 1.3 ships. The answer from Docker seems to be "upgrade Docker and call us in the morning".

[dchen1107]

Regarding to Yuju's commented at #24295 (comment)

This issue is out-of-scope of node problem detector:

• /sys is mounted properly on the host
• No kernel error found at dmesg so that detector can reliably detect the issue
• No docker error message found at docker.log
• kube-proxy container is created and started properly until it tries to open the file and crashes. The related code is at:

  kubernetes/cmd/kube-proxy/app/conntrack.go

  Line 42 in dae5ac4

  return ioutil.WriteFile("/sys/module/nf_conntrack/parameters/hashsize", []byte(strconv.Itoa(max/4)), 0640)

• Both node problem detector and kubelet shouldn't process application (here unfortunately it is kube-proxy)' log to report an issue.

@zmerlynn mentioned that restarting docker daemon can remedy the problem, but so far I didn't find any signal to info docker daemon to restart.

I think deleting and recreating pod on the node should fix the issue. But need to verify that.

[dchen1107]

@mgoelzer Thanks for chiming in and giving us the suggestion on docker version for next release. The issue is one of many examples we are currently encountering with docker release.
The issue was reported to docker before 1.6 release, but not fixed today. The such problem could happen to any containers running privilege mode which makes it with higher severity since a lot of daemon containers are running with that mode. If we, Kubernetes and docker community can collaborate together to identify those issues / bugs, and work together to get those fixed, that would be great. We can help with reproducing, testing and even providing fix. Thanks!

cc/ @thockin

[dchen1107]

@zmerlynn gave me a node which running into this problem.

• Deleting and recreating pod on the bad node doesn't fix the issue.
• Explicitly mounting sysfs on the bad node does mount sysfs with rw mode, but still throw the error (different one from above) when updating the file:

# docker run -ti --privileged=true -v /sys:/sys --net=host busybox sh
/ # mount | grep sysfs
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
~ # echo 16383 >  /sys/module/nf_conntrack/parameters/hashsize 
sh: write error: Operation not supported

• Restarting docker fixes the problem.

Nothing is in docker log again!

[thockin]

Awesome.

On Thu, May 12, 2016 at 5:09 PM, Dawn Chen notifications@github.com wrote:

@zmerlynn https://github.com/zmerlynn gave me a node which running into
this problem.

• Deleting and recreating pod on the bad node doesn't fix the issue.
• Explicitly mounting sysfs on the bad node does mount sysfs with rw
  mode, but still throw the error (different one from above) when updating
  the file:

docker run -ti --privileged=true -v /sys:/sys --net=host busybox sh

/ # mount | grep sysfs
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
~ # echo 16383 > /sys/module/nf_conntrack/parameters/hashsize
sh: write error: Operation not supported

• Restarting docker fixes the problem.

Nothing is in docker log again!

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#24295 (comment)

[mikedanese]

Is there a corresponding docker issue?

[thockin]

moby/moby#7101
On May 13, 2016 5:34 PM, "Mike Danese" notifications@github.com wrote:

Is there a corresponding docker issue?

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#24295 (comment)

[mikedanese]

That issue looks slightly different. Inside the container in the docker issue /sys is mounted ro when the user greps mounts. In Dawn's snippet /sys is still mounted rw inside the container. Possibly an issue with capabilities?

[mikedanese]

(sorry still catching up) perhaps we should file a sperate issue for this.

[thockin]

I think it was r/w only if explicitly remounted, but it starts as to in
about 0.1% of runs
On May 13, 2016 7:19 PM, "Mike Danese" notifications@github.com wrote:

(sorry still catching up) perhaps we should file a sperate issue for this.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#24295 (comment)

[zmerlynn]

@dchen1107 @thockin - Which of you is driving this? I thought someone had the ball on this bug.

[thockin]

I was not driving a docker fix, and I think we prioritized this down for
now, but I admit that I looked away.

On Mon, May 23, 2016 at 7:36 AM, Zach Loafman notifications@github.com
wrote:

@dchen1107 https://github.com/dchen1107 @thockin
https://github.com/thockin - Which of you is driving this? I thought
someone had the ball on this bug.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#24295 (comment)

[dchen1107]

What the difference between this issue and #25543? I thought we moved all the discussion to the new issue #25543 for a temporary workaround for 1.3. I just updated #25543 with the latest proposal.

@zmerlynn Could you please file a separate issue against docker? I agreed with @mikedanese above it is a different docker issue: moby/moby#7101

[zmerlynn]

I was wondering why #25543 was opened at all, it's basically a dupe. :)

[zmerlynn]

Honestly, I forgot that a dupe had been opened. We still need traction on that bug.

I don't have time to chase this issue with Docker, and the last time I pinged them, they told me to GFY until we were on 1.11: moby/moby#7101 (comment)

[dchen1107]

Do we still observe the problem with docker 1.11.X? If no, I want to close this; otherwise, we are going to reconfigure NodeProblemDetector to make the issue visible.

[dchen1107]

Close this one as dup of #25543