gvisor: GKE Sandbox: OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104

Hi! I don’t know if this is the correct site to publish this kind of issues as it is related to gVisor but on top of GKE.

Scenario

We are using gke with a nodepool with the GKE Sandbox feature enable. We found and error during an image upload to the telegram API.

TL;DR

# curl -X POST "https://api.telegram.org/bot990060833:I_CAN_SEND_YOU_THE_TOKEN/sendPhoto" -F chat_id=334621642 -F photo="@googlelogo_color_92x30dp.png" --verbose
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 149.154.167.220:443...
* TCP_NODELAY set
* Connected to api.telegram.org (149.154.167.220) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
 Server certificate:
*  subject: OU=Domain Control Validated; CN=api.telegram.org
*  start date: May  4 14:42:31 2018 GMT
*  expire date: May 23 16:17:38 2020 GMT
*  subjectAltName: host "api.telegram.org" matched cert's "api.telegram.org"
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify ok.
> POST /bot990060833:I_CAN_SEND_YOU_THE_TOKEN/sendPhoto HTTP/1.1
> Host: api.telegram.org
> User-Agent: curl/7.66.0
> Accept: */*
> Content-Length: 4142
> Content-Type: multipart/form-data; boundary=------------------------c5bb5ff482d768bf
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104
* Closing connection 0
curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104

curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104

  • runsc -v:
/home/containerd/usr/local/sbin/runsc --version
runsc version google-281502745
spec: 1.0.1-dev
  • docker version or docker info if more relevant
docker version
Client:
 Version:           19.03.1
 API version:       1.40
 Go version:        go1.11.2
 Git commit:        74b1e89
 Built:             Wed Oct  9 06:26:18 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          19.03.1
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.11.2
  Git commit:       74b1e89
  Built:            Wed Oct  9 06:25:30 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.8
  GitCommit:        a4bc1d432a2c33aa2eed37f338dceabb93641310
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683b971d9c3ef73f284f176672c44b448662
  • uname -a - git describe
$ uname -a
Linux gke-live-clients-7bd46286-mtrp 4.19.76+ #1 SMP Tue Oct 8 23:17:06 PDT 2019 x86_64 Intel(R) Xeon(R) CPU @ 2.20GHz GenuineIntel GNU/Linux
  • Detailed reproduction steps

To debug deeply this problem, we entered one of the nodes via ssh modifying the docker daemon configuration to run some tests:

First, configure the runsc as an available docker runtime:

cat /etc/docker/daemon.json
{
    "live-restore": true,
    "runtimes": {
        "runsc": {
            "path": "/home/containerd/usr/local/sbin/runsc"
        }
    },
    "storage-driver": "overlay2"
}

Then run the following containers to reproduce the error:

1st without gvisor/runsc

$ docker run  --rm -it -m 128Mi --cpus="0.1" alpine:3.10 /bin/sh
# apk add curl
# curl https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png --output googlelogo_color_92x30dp.png
# curl -X POST "https://api.telegram.org/bot990060833:I_CAN_SEND_YOU_THE_TOKEN/sendPhoto" -F chat_id=334621642 -F photo="@googlelogo_color_92x30dp.png" --verbose

# TRUNCATED OUTPUT #

< HTTP/1.1 200 OK
< Server: nginx/1.16.1
< Date: Tue, 07 Jan 2020 15:43:53 GMT
< Content-Type: application/json
< Content-Length: 413
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, POST, OPTIONS
< Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
< 
* Connection #0 to host api.telegram.org left intact
{"ok":true,"result":{"message_id":9,"from":{"id":990060833,"is_bot":true,"first_name":"testk8spin","username":"k8spin_bot"},"chat":{"id":334621642,"first_name":"Pau","last_name":"Rosello","username":"paurosello","type":"private"},"date":1578411833,"photo":[{"file_id":"AgADBAADSLIxG3cuoFCCXM-yOT0enWp5qBsABAEAAwIAA20AA-M0BgABFgQ","file_unique_id":"AQADanmoGwAE4zQGAAE","file_size":4066,"width":184,"height":60}]}}/ #

2nd with gvisor/runsc

$ docker run --runtime=runsc --rm -it -m 128Mi --cpus="0.1" alpine:3.10 /bin/sh
# apk add curl
# curl https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png --output googlelogo_color_92x30dp.png
# curl -X POST "https://api.telegram.org/bot990060833:I_CAN_SEND_YOU_THE_TOKEN/sendPhoto" -F chat_id=334621642 -F photo="@googlelogo_color_92x30dp.png" --verbose
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 149.154.167.220:443...
* TCP_NODELAY set
* Connected to api.telegram.org (149.154.167.220) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
 Server certificate:
*  subject: OU=Domain Control Validated; CN=api.telegram.org
*  start date: May  4 14:42:31 2018 GMT
*  expire date: May 23 16:17:38 2020 GMT
*  subjectAltName: host "api.telegram.org" matched cert's "api.telegram.org"
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify ok.
> POST /bot990060833:I_CAN_SEND_YOU_THE_TOKEN/sendPhoto HTTP/1.1
> Host: api.telegram.org
> User-Agent: curl/7.66.0
> Accept: */*
> Content-Length: 4142
> Content-Type: multipart/form-data; boundary=------------------------c5bb5ff482d768bf
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104
* Closing connection 0
curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104

I can not reproduce it locally even with the same runsc and docker versions/binaries.

Let me know if is needed more information! (the api token for example)

Thanks!

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 26 (11 by maintainers)

Most upvoted comments

The estimate for the fix is to be available in production is early February.

+2
fvoznika on Jan 15, 2020
Read more comments on GitHub
← gvisor: External HTTP Request Failure Rate 0.7%
gvisor: KVM platform doesn't seem to work →