5:29 a.m.
Hi,
I found an issue in libvirt related to libvirt-lxc, but fail to find the
root cause.
The TL;DR is: libvirt-lxc guests get killed on libvirt restart due to
"internal error: No valid cgroup for machine"
It was able to reproduce libvirt 1.3.1, 2.4 and 2.5 as packages in Ubuntu
and Debian.
I wanted to ask for two things:
- wider coverage where this does reproduce
- your expertise on the case itself.
Steps to reproduce:
1. Spawn new KVM Guest of your choice
2. install test dependencies
$ apt-get install libvirt-daemon-system libvirt-clients libxml2-utils
# or package managers / package names of your chosen os
3. run the following sequence as root
export LIBVIRT_DEFAULT_URI=lxc:///
cat << EOF > /tmp/smoke-lxc.xml
<domain type='lxc'>
<name>sl</name>
<memory unit='KiB'>256000</memory>
<currentMemory unit='KiB'>256000</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type>exe</type>
<init>/bin/bash</init>
</os>
<features>
<privnet/>
</features>
<clock offset='utc'/>
<devices>
<emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
<filesystem type='mount' accessmode='passthrough'>
<source dir='/'/>
<target dir='/'/>
</filesystem>
<console type='pty'>
<target type='lxc' port='0'/>
</console>
</devices>
</domain>
EOF
virsh define /tmp/smoke-lxc.xml
virsh start sl
virsh list --all
# is running now
/etc/init.d/libvirtd restart
virsh list --all
# is no more running, but it should
Way more background and detail can be found at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848317
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
7:36 a.m.
Hey Christian,
On Tue, 2016-12-20 at 12:29 +0100, Christian Ehrhardt wrote:
Hi,
I found an issue in libvirt related to libvirt-lxc, but fail to find the root cause.
The TL;DR is: libvirt-lxc guests get killed on libvirt restart due to "internal
error: No valid cgroup for machine"
It was able to reproduce libvirt 1.3.1, 2.4 and 2.5 as packages in Ubuntu and Debian.
I wanted to ask for two things:
- wider coverage where this does reproduce
I couldn't reproduce here with openSUSE Tumbleweed and libvirt 2.5 packages.
- your expertise on the case itself.
It seems that you'll need to check what's going on in virCgroupDetect().
Steps to reproduce:
1. Spawn new KVM Guest of your choice
2. install test dependencies
$ apt-get install libvirt-daemon-system libvirt-clients libxml2-utils
# or package managers / package names of your chosen os
3. run the following sequence as root
export LIBVIRT_DEFAULT_URI=lxc:///
cat << EOF > /tmp/smoke-lxc.xml
<domain type='lxc'>
<name>sl</name>
<memory unit='KiB'>256000</memory>
<currentMemory unit='KiB'>256000</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type>exe</type>
<init>/bin/bash</init>
</os>
<features>
<privnet/>
</features>
<clock offset='utc'/>
<devices>
<emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
The emulator should be removed from the config for portability
purpose: the libvirt_lxc path may vary from a distro / arch to another
and libvirt's lxc driver is able to auto-add it.
--
Cedric
10:14 a.m.
Hi Cedric,x
On Wed, Dec 21, 2016 at 02:36:39PM +0100, Cedric Bosdonnat wrote:
Hey Christian,
On Tue, 2016-12-20 at 12:29 +0100, Christian Ehrhardt wrote:
> Hi,
> I found an issue in libvirt related to libvirt-lxc, but fail to find the root
cause.
>
> The TL;DR is: libvirt-lxc guests get killed on libvirt restart due to "internal
error: No valid cgroup for machine"
>
> It was able to reproduce libvirt 1.3.1, 2.4 and 2.5 as packages in Ubuntu and
Debian.
> I wanted to ask for two things:
> - wider coverage where this does reproduce
I couldn't reproduce here with openSUSE Tumbleweed and libvirt 2.5 packages.
I had a short look and it seems like this sequence is killing all running
libvirt-lxc guests reliably:
# no lxc guest running yet
export LIBVIRT_DEFAULT_URI=lxc:///
DOMAIN=sl
systemctl daemon-reload
# start lxc guest
virsh start ${DOMAIN}
sleep 1 # give vm some time to start
systemctl restart libvirtd
virsh list | grep -qs "${DOMAIN}[[:space:]]\+running"
# lxc guest gone
The important part is the "systemctl daemon-reload". If one leaves that
out libvirtd restarts don't kill off any lxc-domains anymore.
The issue is that libvirt on reattach fails virCgroupNewDetectMachine
due to /proc/<pid-of-lxc-container>/cgroup having changed after
libvird's restart:
Before systemctl restarts libvirtd:
10:perf_event:/machine/lxc-21383-sl.libvirt-lxc
9:cpuset:/machine/lxc-21383-sl.libvirt-lxc
8:net_cls,net_prio:/machine/lxc-21383-sl.libvirt-lxc
7:pids:/system.slice/libvirtd.service
6:memory:/machine/lxc-21383-sl.libvirt-lxc
5:cpu,cpuacct:/machine/lxc-21383-sl.libvirt-lxc
4:devices:/machine/lxc-21383-sl.libvirt-lxc
3:freezer:/machine/lxc-21383-sl.libvirt-lxc
2:blkio:/machine/lxc-21383-sl.libvirt-lxc
1:name=systemd:/system.slice/libvirtd.service
After systemctl restart libvirtd:
10:perf_event:/machine/lxc-21383-sl.libvirt-lxc
9:cpuset:/machine/lxc-21383-sl.libvirt-lxc
8:net_cls,net_prio:/machine/lxc-21383-sl.libvirt-lxc
7:pids:/system.slice/libvirtd.service
6:memory:/system.slice/libvirtd.service
5:cpu,cpuacct:/system.slice/libvirtd.service
4:devices:/system.slice/libvirtd.service
3:freezer:/machine/lxc-21383-sl.libvirt-lxc
2:blkio:/system.slice/libvirtd.service
1:name=systemd:/system.slice/libvirtd.service
so the process is moved to other memory, cpu, device and blkio cgroups
and therefore libvirtd can't find it anymore. The error in the log looks
like:
debug : virCgroupValidateMachineGroup:333 : Name 'libvirtd.service' for controller
'cpu' does not match 'sl', 'lxc-21383-sl',
'sl.libvirt-lxc', 'machine-lxc\x2dsl.scope' or
'machine-lxc\x2d21383\x2dsl.scope'
This does _not_ happen if one restarts libvirtd right after the "systemctl
daemon-reload" or if one drops the "systemctl daemon-reload" from the
above
example. This also does not happen if one stops libvird via systemd but
starts it as /usr/sbin/libvirtd directly. So the culprit happens when
* systemctl daemon-reload
* libvirtd is restared via systemctl
I've looked at audit logs and straced pid 1 without spotting
anything. Any ideas where to go looking now?
This is systemd 232.
Cheers,
-- Guido
> - your expertise on the case itself.
It seems that you'll need to check what's going on in virCgroupDetect().
> Steps to reproduce:
> 1. Spawn new KVM Guest of your choice
> 2. install test dependencies
> $ apt-get install libvirt-daemon-system libvirt-clients libxml2-utils
> # or package managers / package names of your chosen os
> 3. run the following sequence as root
> export LIBVIRT_DEFAULT_URI=lxc:///
> cat << EOF > /tmp/smoke-lxc.xml
> <domain type='lxc'>
> <name>sl</name>
> <memory unit='KiB'>256000</memory>
> <currentMemory unit='KiB'>256000</currentMemory>
> <vcpu placement='static'>1</vcpu>
> <os>
> <type>exe</type>
> <init>/bin/bash</init>
> </os>
> <features>
> <privnet/>
> </features>
> <clock offset='utc'/>
> <devices>
> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
The emulator should be removed from the config for portability
purpose: the libvirt_lxc path may vary from a distro / arch to another
and libvirt's lxc driver is able to auto-add it.
--
Cedric
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
5:21 p.m.
On Sat, Dec 24, 2016 at 05:14:44PM +0100, Guido Günther wrote:
Hi Cedric,x
On Wed, Dec 21, 2016 at 02:36:39PM +0100, Cedric Bosdonnat wrote:
> Hey Christian,
>
> On Tue, 2016-12-20 at 12:29 +0100, Christian Ehrhardt wrote:
> > Hi,
> > I found an issue in libvirt related to libvirt-lxc, but fail to find the root
cause.
> >
> > The TL;DR is: libvirt-lxc guests get killed on libvirt restart due to
"internal error: No valid cgroup for machine"
> >
> > It was able to reproduce libvirt 1.3.1, 2.4 and 2.5 as packages in Ubuntu and
Debian.
> > I wanted to ask for two things:
> > - wider coverage where this does reproduce
>
> I couldn't reproduce here with openSUSE Tumbleweed and libvirt 2.5 packages.
I had a short look and it seems like this sequence is killing all running
libvirt-lxc guests reliably:
# no lxc guest running yet
export LIBVIRT_DEFAULT_URI=lxc:///
DOMAIN=sl
systemctl daemon-reload
# start lxc guest
virsh start ${DOMAIN}
sleep 1 # give vm some time to start
systemctl restart libvirtd
Using ftrae I can see that systemd moves the process into the wrong
cgroup on start:
systemd-1 [000] .... 652.333068: cgroup_attach_task: dst_root=3 dst_id=80
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333117: cgroup_attach_task: dst_root=3 dst_id=80
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333160: cgroup_attach_task: dst_root=6 dst_id=80
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333203: cgroup_attach_task: dst_root=4 dst_id=107
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333245: cgroup_attach_task: dst_root=8 dst_id=80
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333286: cgroup_attach_task: dst_root=7 dst_id=84
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
I've attached the script to reproduce this and would be happy about
ideas of the root cause.
Cheers,
-- Guido
10:25 a.m.
Hi Guido,
On Sun, 2016-12-25 at 00:21 +0100, Guido Günther wrote:
On Sat, Dec 24, 2016 at 05:14:44PM +0100, Guido Günther wrote:
> Hi Cedric,x
> On Wed, Dec 21, 2016 at 02:36:39PM +0100, Cedric Bosdonnat wrote:
> > Hey Christian,
> >
> > On Tue, 2016-12-20 at 12:29 +0100, Christian Ehrhardt wrote:
> > > Hi,
> > > I found an issue in libvirt related to libvirt-lxc, but fail to find the
root cause.
> > >
> > > The TL;DR is: libvirt-lxc guests get killed on libvirt restart due to
"internal error: No valid cgroup for
> > > machine"
> > >
> > > It was able to reproduce libvirt 1.3.1, 2.4 and 2.5 as packages in Ubuntu
and Debian.
> > > I wanted to ask for two things:
> > > - wider coverage where this does reproduce
> >
> > I couldn't reproduce here with openSUSE Tumbleweed and libvirt 2.5
packages.
>
> I had a short look and it seems like this sequence is killing all running
> libvirt-lxc guests reliably:
>
> # no lxc guest running yet
> export LIBVIRT_DEFAULT_URI=lxc:///
> DOMAIN=sl
> systemctl daemon-reload
>
> # start lxc guest
> virsh start ${DOMAIN}
> sleep 1 # give vm some time to start
> systemctl restart libvirtd
Using ftrae I can see that systemd moves the process into the wrong
cgroup on start:
systemd-1 [000] .... 652.333068: cgroup_attach_task: dst_root=3 dst_id=80
dst_level=2
dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333117: cgroup_attach_task: dst_root=3 dst_id=80
dst_level=2
dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333160: cgroup_attach_task: dst_root=6 dst_id=80
dst_level=2
dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333203: cgroup_attach_task: dst_root=4 dst_id=107
dst_level=2
dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333245: cgroup_attach_task: dst_root=8 dst_id=80
dst_level=2
dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333286: cgroup_attach_task: dst_root=7 dst_id=84
dst_level=2
dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
I've attached the script to reproduce this and would be happy about
ideas of the root cause.
Thanks for your work: it really helped me reproduce it here too. After quite a lot
of fiddling with the thing I discovered that it happens to me only if daemon-reload is
done
between the container start and the libvirtd restart.
I've also seen that the following doesn't lead to the problem:
virsh start sl
systemctl daemon-reload
systemctl stop libvirtd
libvirtd (manual start)
But after that, if I kill libvirtd and start it using systemctl start libvirtd, then the
container disappears too.
I tried debugging this, but didn't come to anything interesting thus far. I'll try
again later
with a less confused brain ;)
--
Cedric
4:46 a.m.
On Sun, Dec 25, 2016 at 12:21:18AM +0100, Guido Günther wrote:
On Sat, Dec 24, 2016 at 05:14:44PM +0100, Guido Günther wrote:
> Hi Cedric,x
> On Wed, Dec 21, 2016 at 02:36:39PM +0100, Cedric Bosdonnat wrote:
> > Hey Christian,
> >
> > On Tue, 2016-12-20 at 12:29 +0100, Christian Ehrhardt wrote:
> > > Hi,
> > > I found an issue in libvirt related to libvirt-lxc, but fail to find the
root cause.
> > >
> > > The TL;DR is: libvirt-lxc guests get killed on libvirt restart due to
"internal error: No valid cgroup for machine"
> > >
> > > It was able to reproduce libvirt 1.3.1, 2.4 and 2.5 as packages in Ubuntu
and Debian.
> > > I wanted to ask for two things:
> > > - wider coverage where this does reproduce
> >
> > I couldn't reproduce here with openSUSE Tumbleweed and libvirt 2.5
packages.
>
> I had a short look and it seems like this sequence is killing all running
> libvirt-lxc guests reliably:
>
> # no lxc guest running yet
> export LIBVIRT_DEFAULT_URI=lxc:///
> DOMAIN=sl
> systemctl daemon-reload
>
> # start lxc guest
> virsh start ${DOMAIN}
> sleep 1 # give vm some time to start
> systemctl restart libvirtd
Using ftrae I can see that systemd moves the process into the wrong
cgroup on start:
systemd-1 [000] .... 652.333068: cgroup_attach_task: dst_root=3 dst_id=80
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333117: cgroup_attach_task: dst_root=3 dst_id=80
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333160: cgroup_attach_task: dst_root=6 dst_id=80
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333203: cgroup_attach_task: dst_root=4 dst_id=107
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333245: cgroup_attach_task: dst_root=8 dst_id=80
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
systemd-1 [000] .... 652.333286: cgroup_attach_task: dst_root=7 dst_id=84
dst_level=2 dst_path=/system.slice/libvirtd.service pid=4073 comm=libvirt_lxc
I've attached the script to reproduce this and would be happy about
ideas of the root cause.
Ok, so when libvirt starts an LXC guest, it creates a machine slice with
system to hold the container processes. The machine slice has the container
PID 1 as its leader, but libvirt also adds the libvirt_lxc controller and
and any qemu-nbd processes to the cgroups assoicated with this machine
slice..... except it only does this for resource cgroups its using and
does *not* do this for the systemd cgroup.
So if you query libvirtd.service status, it'll show libvirt_lxc being
associated with that, instead of the machine slice
# systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset:
enabled)
Active: active (running) since Thu 2017-01-05 10:38:02 GMT; 10s ago
Docs: man:libvirtd(8)
http://libvirt.org
Main PID: 6723 (libvirtd)
Tasks: 20 (limit: 4915)
CGroup: /system.slice/libvirtd.service
├─1547 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf
--leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
├─1548 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf
--leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
├─6723 /usr/sbin/libvirtd --listen
└─6888 /usr/libexec/libvirt_lxc --name sl --console 25 --security=selinux
--handshake 28
# systemctl status machine-lxc\\x2d6888\\x2dsl.scope
● machine-lxc\x2d6888\x2dsl.scope - Container lxc-6888-sl
Loaded: loaded (/run/systemd/transient/machine-lxc\x2d6888\x2dsl.scope; transient;
vendor preset: disabled)
Transient: yes
Active: active (running) since Thu 2017-01-05 10:38:04 GMT; 13s ago
Tasks: 1 (limit: 16384)
Memory: 812.0K
CPU: 25ms
CGroup: /machine.slice/machine-lxc\x2d6888\x2dsl.scope
└─6889 /bin/bash
Now, when you do a restart of libvirtd.service, systemd will ensure that all
the processes associated with that service are in the right cgroups, moving
them if needed. systemd only refreshes its view of cgroup placement when
you do a daemon-reload. Hence it only notices that libvirt moved libvirt_lxc
after doing a daemon-reload. Anyway, systemd moves libvirt_lxc back into
the cgroups associated with libvirtd.service.
I think to fix this, we will need to ensure that we move libvirt_lxc into
the machine slice for the systemd cgroup controller too.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
2878
days inactive
2894
days old
5 comments
4 participants
participants (4)
-
Cedric Bosdonnat -
Christian Ehrhardt -
Daniel P. Berrange -
Guido Günther