containerd: kubectl 1.21 and containerd fail to follow stream_idle_timeout
Description
Steps to reproduce the issue:
- Create a cluster with containerd.
- Use a version 1.21 kubectl
- Exec into a pod and see that it will not follow the stream_idle_timeout limit
Describe the results you received: Did not get kicked out.
Describe the results you expected: kicked out after the stream_idle_timeout time.
What version of containerd are you using:
1.5.2 and 1.4.6
Any other relevant information (runC version, CRI configuration, OS/Kernel version, etc.):
I’ve created an issue with Kubernetes about this issue as well. https://github.com/kubernetes/kubernetes/issues/102569
runc --version
$ runc --versionrunc version 1.0.0-rc95 commit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7 spec: 1.0.2-dev go: go1.16.4 libseccomp: 2.5.1
crictl info
$ crictl info
```
{
"status": {
"conditions": [
{
"type": "RuntimeReady",
"status": true,
"reason": "",
"message": ""
},
{
"type": "NetworkReady",
"status": true,
"reason": "",
"message": ""
}
]
},
"cniconfig": {
"PluginDirs": [
"/opt/cni/bin"
],
"PluginConfDir": "/etc/cni/net.d",
"PluginMaxConfNum": 1,
"Prefix": "eth",
"Networks": [
{
"Config": {
"Name": "cni-loopback",
"CNIVersion": "0.3.1",
"Plugins": [
{
"Network": {
"type": "loopback",
"ipam": {},
"dns": {}
},
"Source": "{\"type\":\"loopback\"}"
}
],
"Source": "{\n\"cniVersion\": \"0.3.1\",\n\"name\": \"cni-loopback\",\n\"plugins\": [{\n \"type\": \"loopback\"\n}]\n}"
},
"IFName": "lo"
},
{
"Config": {
"Name": "k8s-pod-network",
"CNIVersion": "0.3.1",
"Plugins": [
{
"Network": {
"type": "calico",
"ipam": {
"type": "calico-ipam"
},
"dns": {}
},
"Source": "{\"container_settings\":{\"allow_ip_forwarding\":true},\"datastore_type\":\"kubernetes\",\"ipam\":{\"type\":\"calico-ipam\"},\"kubernetes\":{\"kubeconfig\":\"/etc/cni/net.d/calico-kubeconfig\"},\"log_file_path\":\"/var/log/calico/cni/cni.log\",\"log_level\":\"info\",\"mtu\":1480,\"nodename\":\"10.5.115.75\",\"policy\":{\"type\":\"k8s\"},\"type\":\"calico\"}"
},
{
"Network": {
"type": "portmap",
"capabilities": {
"portMappings": true
},
"ipam": {},
"dns": {}
},
"Source": "{\"capabilities\":{\"portMappings\":true},\"snat\":true,\"type\":\"portmap\"}"
},
{
"Network": {
"type": "bandwidth",
"capabilities": {
"bandwidth": true
},
"ipam": {},
"dns": {}
},
"Source": "{\"capabilities\":{\"bandwidth\":true},\"type\":\"bandwidth\"}"
}
],
"Source": "{\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": \"0.3.1\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n \"log_level\": \"info\",\n \"log_file_path\": \"/var/log/calico/cni/cni.log\",\n \"datastore_type\": \"kubernetes\",\n \"nodename\": \"10.5.115.75\",\n \"mtu\": 1480,\n \"ipam\": {\n \"type\": \"calico-ipam\"\n },\n \"container_settings\": {\n \"allow_ip_forwarding\": true\n },\n \"policy\": {\n \"type\": \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": \"/etc/cni/net.d/calico-kubeconfig\"\n }\n },\n {\n \"type\": \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": true}\n },\n {\n \"type\": \"bandwidth\",\n \"capabilities\": {\"bandwidth\": true}\n }\n ]\n}"
},
"IFName": "eth0"
}
]
},
"config": {
"containerd": {
"snapshotter": "overlayfs",
"defaultRuntimeName": "runc",
"defaultRuntime": {
"runtimeType": "",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"untrustedWorkloadRuntime": {
"runtimeType": "",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"runtimes": {
"runc": {
"runtimeType": "io.containerd.runc.v2",
"runtimeEngine": "",
"PodAnnotations": [],
"ContainerAnnotations": [],
"runtimeRoot": "",
"options": {
"BinaryName": "",
"CriuPath": "",
"IoGid": 0,
"IoUid": 0,
"NoNewKeyring": false,
"NoPivotRoot": false,
"Root": "",
"ShimCgroup": "",
"SystemdCgroup": false
},
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"untrusted": {
"runtimeType": "io.containerd.runc.v2",
"runtimeEngine": "",
"PodAnnotations": [],
"ContainerAnnotations": [],
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
}
},
"noPivot": false,
"disableSnapshotAnnotations": true,
"discardUnpackedLayers": false
},
"cni": {
"binDir": "/opt/cni/bin",
"confDir": "/etc/cni/net.d",
"maxConfNum": 1,
"confTemplate": ""
},
"registry": {
"configPath": "",
"mirrors": {
"docker.io": {
"endpoint": [
"https://registry-1.docker.io"
]
}
},
"configs": null,
"auths": null,
"headers": null
},
"imageDecryption": {
"keyModel": "node"
},
"disableTCPService": true,
"streamServerAddress": "127.0.0.1",
"streamServerPort": "0",
"streamIdleTimeout": "15m",
"enableSelinux": false,
"selinuxCategoryRange": 1024,
"sandboxImage": "registry.ng.bluemix.net/armada-master/pause:3.5",
"statsCollectPeriod": 10,
"systemdCgroup": false,
"enableTLSStreaming": false,
"x509KeyPairStreaming": {
"tlsCertFile": "",
"tlsKeyFile": ""
},
"maxContainerLogSize": 16384,
"disableCgroup": false,
"disableApparmor": false,
"restrictOOMScoreAdj": false,
"maxConcurrentDownloads": 3,
"disableProcMount": false,
"unsetSeccompProfile": "",
"tolerateMissingHugetlbController": true,
"disableHugetlbController": true,
"ignoreImageDefinedVolumes": false,
"netnsMountsUnderStateDir": false,
"containerdRootDir": "/var/data/cripersistentstorage",
"containerdEndpoint": "/run/containerd/containerd.sock",
"rootDir": "/var/data/cripersistentstorage/io.containerd.grpc.v1.cri",
"stateDir": "/run/containerd/io.containerd.grpc.v1.cri"
},
"golang": "go1.16.4",
"lastCNILoadStatus": "OK"
}
```
uname -a
$ uname -a ``` Linux test-c2rtj9f20cra25h0c80g-testingexec-default-0000029e 4.15.0-143-generic #147-Ubuntu SMP Wed Apr 14 16:10:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ```
About this issue
- Original URL
- State: open
- Created 3 years ago
- Comments: 23 (11 by maintainers)
@aojea related to changing spdystream…
Are you suggesting here just avoiding the idle reset when a ping frame is set? https://github.com/moby/spdystream/blob/master/connection.go#L161 I think that change seems reasonable, but not sure how safe that is to do without explicitly enabling in the interface. That library is stable and not expecting changes at this point. Could find a way to inject options or add a function to enable it. The issue is that it might change the “idle timeout” the client is setting, since previously it was just idle between pings.