[jira] [Created] (MESOS-9836) Docker containerizer overwrites `/mesos/slave` cgroups.

Mon, 10 Jun 2019 20:28:30 -0700 

Chun-Hung Hsiao created MESOS-9836:
--------------------------------------

             Summary: Docker containerizer overwrites `/mesos/slave` cgroups.
                 Key: MESOS-9836
                 URL: https://issues.apache.org/jira/browse/MESOS-9836
             Project: Mesos
          Issue Type: Bug
          Components: containerization
            Reporter: Chun-Hung Hsiao


The following bug was observed on our internal testing cluster.

The docker containerizer launched a container on an agent:
{noformat}
I0523 06:00:53.888579 21815 docker.cpp:1195] Starting container 
'f69c8a8c-eba4-4494-a305-0956a44a6ad2' for task 
'apps_docker-sleep-app.1fda5b8e-7d20-11e9-9717-7aa030269ee1' (and executor 
'apps_docker-sleep-app.1fda5b8e-7d20-11e9-9717-7aa030269ee1') of framework 
415284b7-2967-407d-b66f-f445e93f064e-0011
I0523 06:00:54.524171 21815 docker.cpp:783] Checkpointing pid 13716 to 
'/var/lib/mesos/slave/meta/slaves/60c42ab7-eb1a-4cec-b03d-ea06bff00c3f-S2/frameworks/415284b7-2967-407d-b66f-f445e93f064e-0011/executors/apps_docker-sleep-app.1fda5b8e-7d20-11e9-9717-7aa030269ee1/runs/f69c8a8c-eba4-4494-a305-0956a44a6ad2/pids/forked.pid'
{noformat}
After the container was launched, the docker containerizer did a {{docker 
inspect}} on the container and cached the pid:
 
[https://github.com/apache/mesos/blob/0c431dd60ae39138cc7e8b099d41ad794c02c9a9/src/slave/containerizer/docker.cpp#L1764]
 The pid should be slightly greater than 13716.

The docker executor sent a {{TASK_FINISHED}} status update around 16 minutes 
later:
{noformat}
I0523 06:16:17.287595 21809 slave.cpp:5566] Handling status update 
TASK_FINISHED (Status UUID: 4e00b786-b773-46cd-8327-c7deb08f1de9) for task 
apps_docker-sleep-app.1fda5b8e-7d20-11e9-9717-7aa030269ee1 of framework 
415284b7-2967-407d-b66f-f445e93f064e-0011 from executor(1)@172.31.1.7:36244
{noformat}
After receiving the terminal status update, the agent asked the docker 
containerizer to update {{cpu.cfs_period_us}}, {{cpu.cfs_quota_us}} and 
{{memory.soft_limit_in_bytes}} of the container through the cached pid:
 
[https://github.com/apache/mesos/blob/0c431dd60ae39138cc7e8b099d41ad794c02c9a9/src/slave/containerizer/docker.cpp#L1696]
{noformat}
I0523 06:16:17.290447 21815 docker.cpp:1868] Updated 'cpu.shares' to 102 at 
/sys/fs/cgroup/cpu,cpuacct/mesos/slave for container 
f69c8a8c-eba4-4494-a305-0956a44a6ad2
I0523 06:16:17.290660 21815 docker.cpp:1895] Updated 'cpu.cfs_period_us' to 
100ms and 'cpu.cfs_quota_us' to 10ms (cpus 0.1) for container 
f69c8a8c-eba4-4494-a305-0956a44a6ad2
I0523 06:16:17.889816 21815 docker.cpp:1937] Updated 
'memory.soft_limit_in_bytes' to 32MB for container 
f69c8a8c-eba4-4494-a305-0956a44a6ad2
{noformat}
Note that the cgroup of {{cpu.shares}} was {{/mesos/slave}}. This was possibly 
because that over the 16 minutes the pid got reused:
{noformat}
# zgrep 'systemd.cpp:98\]' /var/log/mesos/archive/mesos-agent.log.12.gz
...
I0523 06:00:54.525178 21815 systemd.cpp:98] Assigned child process '13716' to 
'mesos_executors.slice'
I0523 06:00:55.078546 21808 systemd.cpp:98] Assigned child process '13798' to 
'mesos_executors.slice'
I0523 06:00:55.134096 21808 systemd.cpp:98] Assigned child process '13799' to 
'mesos_executors.slice'
...
I0523 06:06:30.997439 21808 systemd.cpp:98] Assigned child process '32689' to 
'mesos_executors.slice'
I0523 06:06:31.050976 21808 systemd.cpp:98] Assigned child process '32690' to 
'mesos_executors.slice'
I0523 06:06:31.110514 21815 systemd.cpp:98] Assigned child process '32692' to 
'mesos_executors.slice'
I0523 06:06:33.143726 21818 systemd.cpp:98] Assigned child process '446' to 
'mesos_executors.slice'
I0523 06:06:33.196251 21818 systemd.cpp:98] Assigned child process '447' to 
'mesos_executors.slice'
I0523 06:06:33.266332 21816 systemd.cpp:98] Assigned child process '449' to 
'mesos_executors.slice'
...
I0523 06:09:34.870056 21808 systemd.cpp:98] Assigned child process '13717' to 
'mesos_executors.slice'
I0523 06:09:34.937762 21813 systemd.cpp:98] Assigned child process '13744' to 
'mesos_executors.slice'
I0523 06:09:35.073971 21817 systemd.cpp:98] Assigned child process '13754' to 
'mesos_executors.slice'
...
{noformat}
It was highly likely that the container itself exited around 06:09:35, way 
before the docker executor detected and reported the terminal status update, 
and then its pid was reused by another forked child of the agent, and thus 
{{cpu.cfs_period_us}}, {{cpu.quota_us}} and {{memory.soft_limit_in_bytes}} of 
the {{/mesos/slave}} cgroup was mistakenly overwritten.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to