tripleo

[centos9] cgroup parent change for systemd slice breaks virtlogd_wrapper and nova_libvirt containers

Bug #1936005 reported by David Vallee Delisle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
In Progress
High
David Vallee Delisle

Bug Description

In centos8/rhel8, containers created with systemd as cgroup-managers are stored like this under /sys/fs/cgroup [1]

In centos9 they are all stored under /sys/fs/cgroup/machine.slice.

When nova_virtlogd_wrapper tries to spin nova_virtlogd, it gets an error by default:
Error: create directory `/sys/fs/cgroup/../../libpod-366360a13cc787666d27753ec730ea082d838b9bfe013d62eea6a8ad10b055ac.scope`: No such file or directory: OCI runtime attempted to invoke a command that was not found

If we add --cgroup-manager=cgroupfs to the wrapper, we have something like this:
Error: writing file `/sys/fs/cgroup/libpod_parent/libpod-4718f186840ee64b1ea3e4440dbbdcdc3a04e12405d5f890a1ab65df1c31707a/cgroup.procs`: No such file or directory: OCI runtime attempted to invoke a command that was not found

If we add --cgroup-manager=cgroupfs --cgroup-parent=machine.slice, we get this:
Error: systemd slice received as cgroup parent when using cgroupfs: invalid argument

If we try this --cgroup-manager=cgroupfs --cgroup-parent=test/dvd, we get this:
Error: writing file `/sys/fs/cgroup/test/dvd/libpod-6a6e41e75024c10b4b458a3e53ffc757f0ba6abbcede98f13711884887ab7529/cgroup.procs`: No such file or directory: OCI runtime attempted to invoke a command that was not found

So it looks like the virtlogd_wrapper container is not using the same cgroup format as the host itself.

What's interesting is that we can confirm that it's the same version of podman called in both the host and the container [2] when it's called with nsenter but when we don't call nsenter, we see the difference in version [3].

Workaround for this issue would be to NovaEnableVirtlogdContainerWrapper: false.

[1]
~~~
[root@undercloud-0 ~]# find /sys/fs/cgroup/ -maxdepth 3 -type d -name libpod\* | cut -f 1-5 -d "/" | sort | uniq
/sys/fs/cgroup/blkio
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/devices
/sys/fs/cgroup/freezer
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/memory
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/pids
/sys/fs/cgroup/systemd
~~~

[2]
~~~
[root@standalone stdouts]# diff -u <(rpm -qa | grep pod) <(podman exec -u0 nova_virtlogd_wrapper nsenter --preserve-credentials -m -t 1 rpm -qa | grep pod)
[root@standalone stdouts]# diff -u <(podman info) <(podman exec -u0 nova_virtlogd_wrapper nsenter --preserve-credentials -m -t 1 podman info)
--- /dev/fd/63 2021-07-13 22:13:06.223105268 +0000
+++ /dev/fd/62 2021-07-13 22:13:06.225105271 +0000
@@ -27,7 +27,7 @@
     uidmap: null
   kernel: 5.13.0-1.el9.x86_64
   linkmode: dynamic
- memFree: 8744153088
+ memFree: 8710406144
   memTotal: 15712301056
   ociRuntime:
     name: crun
@@ -55,7 +55,7 @@
     version: ""
   swapFree: 1073737728
   swapTotal: 1073737728
- uptime: 25m 7.44s
+ uptime: 25m 7.53s
 registries:
   192.168.24.2:8787:
     Blocked: false
~~~

[3]
~~~
[root@standalone stdouts]# diff -u <(rpm -qa | grep pod) <(podman exec -u0 nova_virtlogd_wrapper rpm -qa | grep pod)
--- /dev/fd/63 2021-07-13 22:14:32.258239798 +0000
+++ /dev/fd/62 2021-07-13 22:14:32.258239798 +0000
@@ -1,4 +1,3 @@
-perl-podlators-4.14-459.el9.noarch
-ansible-collection-containers-podman-1.4.1-2.el9.noarch
-podman-catatonit-3.3.0-0.6.el9.x86_64
-podman-3.3.0-0.6.el9.x86_64
+podman-3.1.0-0.13.module_el8.5.0+733+9bb5dffa.x86_64
+perl-podlators-4.11-1.el8.noarch
+podman-catatonit-3.1.0-0.13.module_el8.5.0+733+9bb5dffa.x86_64
~~~

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/800731

Revision history for this message
David Vallee Delisle (valleedelisle) wrote : Re: [centos9] cgroup parent change for systemd slice breaks virtlogd_wrapper
Download full text (7.3 KiB)

With the above patch, instances are still not launching, returning this traceback [1] so this cgroup or namespace change is also affecting nova_libvirtd presumably.

[1]
~~~
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [req-b526d04d-1bfe-49e3-8a9d-19f6e93225e4 aa9659a889c3439485a7a307256e4250 4a886606e5a44e9e838582c33347166d - default default] [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] Instance failed to spawn: libvirt.libvirtError: unable to open '/sys/fs/cgroup/machine/qemu-1-instance-00000002.libvirt-qemu/': No such file or directory
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] Traceback (most recent call last):
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 2640, in _build_resources
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] yield resources
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 2413, in _build_and_run_instance
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] accel_info=accel_info)
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 4193, in spawn
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] cleanup_instance_disks=created_disks)
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 7250, in _create_guest_with_network
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] cleanup_instance_disks=cleanup_instance_disks)
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] File "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 227, in __exit__
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] self.force_reraise()
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] File "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 200, in force_reraise
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] raise self.value
nova-compute.log:2021-07-14 00:15:23.206 2 ERROR nova.compute.manager [instance: 347d7250-b14a-4bfb-8aab-7a3580847865] File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 7218, in _create_guest_with_network
nova-compute.log:2021-07-14 00:15:23.206...

Read more...

Changed in tripleo:
assignee: nobody → David Vallee Delisle (valleedelisle)
status: New → Confirmed
Revision history for this message
David Vallee Delisle (valleedelisle) wrote :

The cause of all these issues is because c9 [1] uses cgroupsv2 by default as opposed to c8 [2] that uses cgroupsv1. More information here [a].

[a] https://www.redhat.com/en/blog/world-domination-cgroups-rhel-8-welcome-cgroups-v2

[1]
~~~
[root@standalone etc]# mount -l | grep cgroup
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
~~~

[2]
~~~
[root@undercloud-0 ~]# mount -l | grep cgroup
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpuset)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,perf_event)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,memory)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,net_cls,net_prio)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,hugetlb)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpu,cpuacct)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,pids)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,rdma)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,blkio)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,freezer)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,devices)
~~~

Revision history for this message
David Vallee Delisle (valleedelisle) wrote :

I was able to spin a VM with the change mentioned above and enabling cgroupsv1:

grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="systemd.unified_cgroup_hierarchy=0"

When we enable cgroupsv1, there's still a cgroup2 mount under unified:
cgroup2 on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/800848

OpenStack Infra (hudson-openstack)
Changed in tripleo:
status: Confirmed → In Progress
David Vallee Delisle (valleedelisle)
summary: [centos9] cgroup parent change for systemd slice breaks virtlogd_wrapper
+ and nova_libvirt containers
Revision history for this message
David Vallee Delisle (valleedelisle) wrote :

downstream bug opened for virt team: https://bugzilla.redhat.com/show_bug.cgi?id=1985377

Bogdan Dobrelya (bogdando)
Changed in tripleo:
importance: Undecided → High
Revision history for this message
David Vallee Delisle (valleedelisle) wrote :

Setting cgroupns: host to the nova libvirt and virtlog containers solves all the issues we've had.

https://review.opendev.org/c/openstack/tripleo-heat-templates/+/802489

Waiting for CI to complete on this, and doing additionnal validations but this might be the way to go.

I think we should keep the podman --remote solution for the wrappers.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/800848
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/04cd218c823b3e7d9eb50f7b269e439282f9bfa7
Submitter: "Zuul (22348)"
Branch: master

commit 04cd218c823b3e7d9eb50f7b269e439282f9bfa7
Author: David Vallee Delisle <email address hidden>
Date: Wed Jul 14 18:17:21 2021 -0400

    tripleo-podman: Enable podman.socket

    Instead of relying on nsenter in the various wrappers, we should use
    podman --remote. To do this, we need to enable podman.socket.

    Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/800847
    Related-Bug: #1936005
    Change-Id: I4d6c6e5dbaaa6e9ff7fdb6f0c719ad3ae3645f15

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/802489
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/9b34719ed39125a35dbfc8293a5c88bbd8f8b78f
Submitter: "Zuul (22348)"
Branch: master

commit 9b34719ed39125a35dbfc8293a5c88bbd8f8b78f
Author: David Vallee Delisle <email address hidden>
Date: Tue Jul 27 08:30:00 2021 -0400

    [c9] nova_libvirt with host's cgroupns

    Based on related bz, nova_libvirt container should be started with
    cgroupns set to host in Centos 9

    Related-Bug: #1936005
    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1985377
    Change-Id: Id0c4505c794f8cbae331f0f569967739c82700eb

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (master)

Change abandoned by "David Vallee Delisle <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/800731
Reason: This is no longer needed.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/802531
Committed: https://opendev.org/openstack/puppet-tripleo/commit/4b0410a356edfc0ecfff50f216025ebf8f69a9ca
Submitter: "Zuul (22348)"
Branch: master

commit 4b0410a356edfc0ecfff50f216025ebf8f69a9ca
Author: David Vallee Delisle <email address hidden>
Date: Tue Jul 27 10:25:59 2021 -0400

    [c9] wrappers should start containers with host's cgroupns

    Based on related bz, wrapper container should start containers with
    cgroupns set to host in Centos 9

    Related-Bug: #1936005
    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1985377
    Change-Id: I7ff51d22eda5b2ee91001a4b4d8ab9387416dc23

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/wallaby)

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/809149

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/wallaby)

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/809210

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/809210
Committed: https://opendev.org/openstack/puppet-tripleo/commit/b67596f1b58ed6bd07ba36739ad2e223b4434a16
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit b67596f1b58ed6bd07ba36739ad2e223b4434a16
Author: David Vallee Delisle <email address hidden>
Date: Tue Jul 27 10:25:59 2021 -0400

    [c9] wrappers should start containers with host's cgroupns

    Based on related bz, wrapper container should start containers with
    cgroupns set to host in Centos 9

    Related-Bug: #1936005
    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1985377
    Change-Id: I7ff51d22eda5b2ee91001a4b4d8ab9387416dc23
    (cherry picked from commit 4b0410a356edfc0ecfff50f216025ebf8f69a9ca)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/809149
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/37e4c3c596a4199f914813221609fc2a265ce107
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 37e4c3c596a4199f914813221609fc2a265ce107
Author: David Vallee Delisle <email address hidden>
Date: Tue Jul 27 08:30:00 2021 -0400

    [c9] nova_libvirt with host's cgroupns

    Based on related bz, nova_libvirt container should be started with
    cgroupns set to host in Centos 9

    Related-Bug: #1936005
    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1985377
    Change-Id: Id0c4505c794f8cbae331f0f569967739c82700eb
    (cherry picked from commit 9b34719ed39125a35dbfc8293a5c88bbd8f8b78f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/821709

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by "David Vallee Delisle <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/821709
Reason: zuul stuck?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/821709
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/157d0c112bf21139b4d9ca076f1121a941a35114
Submitter: "Zuul (22348)"
Branch: master

commit 157d0c112bf21139b4d9ca076f1121a941a35114
Author: David Vallee Delisle <email address hidden>
Date: Tue Dec 14 09:58:06 2021 -0500

    Start the l3 agent with cgroupns: host

    Since the l3 agent is spinning containers, it should use the host cgroups
    namespaces just like we did in nova [1]

    [1] https://review.opendev.org/c/openstack/tripleo-heat-templates/+/802489/

    Related-Bug: #1936005
    Closes-Bug: #1953738
    Change-Id: Ic83e946e1f3dc912bc4cf8270d66ecc7c2324c96

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/wallaby)

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/827642

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/827642
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/f962b8e14829d896b732867e2a9b862b4323ecb4
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit f962b8e14829d896b732867e2a9b862b4323ecb4
Author: David Vallee Delisle <email address hidden>
Date: Tue Dec 14 09:58:06 2021 -0500

    Start the l3 agent with cgroupns: host

    Since the l3 agent is spinning containers, it should use the host cgroups
    namespaces just like we did in nova [1]

    [1] https://review.opendev.org/c/openstack/tripleo-heat-templates/+/802489/

    Related-Bug: #1936005
    Closes-Bug: #1953738
    Closes-Bug: #1959582
    Change-Id: Ic83e946e1f3dc912bc4cf8270d66ecc7c2324c96
    (cherry picked from commit 157d0c112bf21139b4d9ca076f1121a941a35114)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.