Kernel 5.1+ in EKS Amazon Linux AMI to resolve conntrack race conditions #357
Comments
|
kernel >= 4.19 will have these necessary patches:
updated: iptables are replaced by nftables (backend) in rhel 8 or debian buster and it's playing up with kube-proxy, a better bet is sticking with debian stretch (iptables 1.6) I made another ami (Linux 4.19.0-0.bpo.6-amd64 using debian-backports kernel) |
|
How did this go out to GA? |
|
What is the state of this issue? Is there an ETA for the fix? |
|
It looks like you can get the 4.19 kernel on the EKS AMI via: |
|
From looking at this: torvalds/linux@4e35c1c |
|
I'm not quite sure why, but NodeLocalDNS isn't working for our environment. It works -- does what it should do -- but doesn't mitigate the conntrack errors or even greatly reduce DNS latency. I'm digging into coredns settings on the local pods now, but my understanding is that the |
|
Hey @jaygorrell I worked with @rchernobelskiy to set this up for us so I can speak to that. First if you haven't already I'd suggest looking at this link for setting up nodelocaldns. I initially started out with master but it turned out it's not quite stable yet so best to use release-1.16. Also the effectiveness of ndots and search will depend on the base image you're using. Since we are on primarily Alpine we didn't get much benefit out of tweaking those settings. We are seeing a slightly higher latency on external requests but the rest of our stuff that uses |
|
Hey @dougwettlaufer, thanks for the response. I actually have NodeLocalDNS set up and working fine. I can confirm the local DNS cache is working with dig and such. I'm just not seeing improved results. Like I mentioned before, the conntrack errors that this is supposed to mitigate are still happening with the occasional DNS request taking over 1s, just as before. They're always external DNS records though, which makes me think there's still a conntrack race happening somewhere with all the search domains. My question about how you're requesting services was more about the way you address them. Are you using the full Anyways, I'm mostly just wondering if anyone else had to tweak the clusterlocaldns configmap to improve caching and such since we're still getting conntrack errors and occasional DNS latency. I'm going to try manually making it search external domains better but I don't think we should need to do this. |
|
I set the |
This is only a partial fix and doesn't work for Alpine-based containers. |
|
@rchernobelskiy @owlwalks @daniel-ciaglia You probably know this already but for others who wander here wondering how to resolve this still. I just downloaded the latest amazon linux source code ( linux-4.19.84) onto a clean instance after updating the kernel on it. I do see the two patches are there in the code now. Method used to check: cd tmp-kernel-dir/linux-4.19.84/net/netfilter less the nf_conntrack_core.c Validate against above two patches. We are going to rollout new amis with this patch and I'll update here if we see the problem disappear or whatever our result was. |
|
Thanks @isaacegglestone! Any ETA for upgrading the AMI to use the new kernel? We need other features that would be enabled by kernel 4.19+ as well. |
|
This is badly needed. Any ETA for the patch to be GA? |
|
We are working with the Amazon Linux kernel team to backport the fixes into 4.14 kernel. I will keep this thread updated with the progress. Appreciate the patience! |
|
@rtripat are we also backporting all sockmap related patches which landed in 4.17 to ami 4.14? |
|
The worker AMI release has the conntrack race condition fixes backported into 4.14 kernel. More specifically the following patches Please give it a try! |
@abhay2101 : Can you please point me to the specific patches? |
|
We use the NodeLocal DNS Cache as recommended by AWS in their blog post titled EKS DNS at scale and spikeiness. The corefile specifies |
|
I've just put amazon-eks-node-1.15-v20200312 (ami-0e710550577202c55) on my us-west-2 EKS cluster and I see no difference comparing to v20200228. I see the same DNS fail rate. For some pods, if I just try a ping google.com I get about 70% fail rate. I had to manually update the Launch Template as it is not yet available in EKS to be rolled out. I've also set ndots option to 1 and it is actually an improvement in the failure rate, but still unusable. |
My test yielded the same result as yours. No improvement in reducing getaddrinfo errors. |
|
Today I built a custom Debian based image which is supposed to solve this issue. I got inspired from this post and I have managed to build a Debian based amazon-eks-node-1.15-v20200331 AMI with Packer. This is what kubectl get nodes reports: Unfortunately I see no improvement for DNS queries. They still fail at about the same rate. |
|
Any chance we can scale down the # of pods sending requests to verify if DNS throttling could be part of the reason?
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-limits |
I have set a podAntiAffinity that ensures that it's hosted across different nodes. podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchExpressions:
- key: k8s-app
operator: In
values:
- kube-dns |
|
Any change in the last two weeks? Still can't upgrade my EKS cluster from 1.12 until this (these?) is fixed. |
|
We are sorry you continue to face this issue. We have been working on a reproduction and have been unsuccessful so far in the latest EKS worker AMIs. @palmbardier @betinro : Can you provide more detailed reproduction steps on your environment where this is happening? |
|
Issue reproduced several times today with v20200406: Example |
|
Have you guys tested the new Bottlerocket OS that uses kernel 5.4+ to check the I know that is still in beta, but it's good to have it documented, my cluster running it is not big enough for having such issue. |
Finally! Can't reproduce using amazon-eks-node-1.15-v20200409 - ami-0d0c1c9bb079158ae ! |
That's encouraging. Did you mean |
Same, I've faced the same issue. VM is up but not connected to the internet/master. |
@imranismail , @azhurbilo EC2 instance starting successfully but failing to join the EKS cluster can be for various reasons like network connectivity from instance to cluster and is possibly unrelated to this issue. Have you tried looking at VPC configuration of your cluster? |
|
I've managed to fix my DNS related problem. Looks like it was not Conntrack issue related. I am not sure exactly what the problem itself was, but it was definitely related to the fact I have created my EKS cluster in an existing VPC. That VPC already contained a Kops K8s cluster plus some other workloads/instances, outside the cluster. Apparently they shouldn't cause a problem each other. To optimize your cluster you may also consider using FQDN addresses, at least the internal ones. It also helps setting Hopefully these tips will help somebody out there. |
|
any update? |
|
We were planning to release 5.4.x kernel with EKS 1.19 release followed by updating AMIs of all supported Kubernetes versions. However, an Amazon engineer found a kernel bug in versions 4.19.86 and higher. We have submitted a patch upstream and are waiting for that to be merged. |
|
Hi! Could you give us an update on the subject? Were are facing a lot of DNS resolution failures, causing almost 50% of our CI jobs (running on EKS) to fail. We're using amazon-eks-node-1.18-v20201211 AMI. |
|
For customers looking to use Linux kernel 5.4 as a solution to this, there are now two options. 1 Upgrade the kernel use amazon-linux-extras 2 Upgrade to Kubernetes version 1.19 EKS optimized AMIs 1.19+ will now come with the 5.4 kernel by default, so you can upgrade your clusters to 1.19 to use the latest AMI with 5.4. |
|
Also, please let us know if upgrading the kernel doesn't resolve the issue for you. |
|
Thanks a lot! |
|
That's great news :D I'm going to resolve this issue since it's primarily focused on upgrading the kernel and seems to resolve the problems for some customers. However, anyone who's upgraded the kernel or using the 1.19 AMI, please open up a new issue if you're still seeing these problems. |
|
We've had a report from a customer that they are still seeing issues with conntrack race conditions on the 5.4 kernel. It may be related to customers using the CNI feature per pod security group. We've been working with the AmazonLinux team over the last couple of days and have identified patches that seem to fix the issue. Work is being done to merge these patches and get them out in the next AL2 release. Once a new kernel is released, customers can run We'll update here when the patch and the new AMIs are available. |
|
With Kernel "5.4.95-42.163.amzn2.x86_64", the issue is not just related to DNS lookups. At a certain load especially on bigger instances, there were also significant packet drops with nf_conntrack errors in "/var/log/messages" of the host. Rolling back to EKS AMI for 1.18 (kernel 4.14) helped resolved our issue.
|
and others
What would you like to be added:
I would like the EKS AMIs to be on at least kernel version 5.1 to address the well-documented[0][1]
conntrackrace conditions.Why is this needed:
There are some kernel-level race conditions with
conntrackthat frequently manifest as timed out DNS lookups in Kubernetes clusters. Two of the three race conditions have been patched in the kernel and are released in v5.1.The third race condition is mitigated by Local DNS cache requested in another issue[2].
Attachments
[0] https://www.weave.works/blog/racy-conntrack-and-dns-lookup-timeouts
[1] https://tech.xing.com/a-reason-for-unexplained-connection-timeouts-on-kubernetes-docker-abd041cf7e02
[2] aws/containers-roadmap#303
The text was updated successfully, but these errors were encountered: