GKE を upgrade したら network plugin が死んだので対応した作業記録
Qrunch から引っ越し
※ GKE のネガキャンではありません。むしろ好きでちゃんと運用したいからこそ残しているものです。
軽い気持ちで GKE を 1.11.2-gke.18 から 1.11.3-gke.18 に upgrade した。
そして何気なく Deployment を作ったが Pod が起動しない。
kubectl describe pod で見るとおかしな event が記録されているのが分かった。
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 3m default-scheduler Successfully assigned xyz/hoge-5b4db95bf5-krmjc to gke-gke01-preemptible01-e5cc132c-77fz
Warning FailedCreatePodSandBox 3m kubelet, gke-gke01-preemptible01-e5cc132c-77fz Failed create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "af7579fb0a4ad73cfaeb083ef47de36b7f84aed7f160685384354ed0d8512339" network for pod "hoge-5b4db95bf5-krmjc": NetworkPlugin cni failed to set up pod "hoge-5b4db95bf5-krmjc_xyz" network: stat /var/lib/calico/nodename: no such file or directory: check that the calico/node container is running and has mounted /var/lib/calico/
Warning FailedCreatePodSandBox 3m kubelet, gke-gke01-preemptible01-e5cc132c-77fz Failed create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "56c9b914c9f3c940c8d5479807820814e43f6716a263ca5c9a1bf53cef6ae252" network for pod "hoge-5b4db95bf5-krmjc": NetworkPlugin cni failed to set up pod "hoge-5b4db95bf5-krmjc_xyz" network: stat /var/lib/calico/nodename: no such file or directory: check that the calico/node container is running and has mounted /var/lib/calico/
Warning FailedCreatePodSandBox 3m kubelet, gke-gke01-preemptible01-e5cc132c-77fz Failed create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "10bdc42cc20617283e18f67a4e4d171eecb4182dd0e9f7114465c4047e5f3c12" network for pod "hoge-5b4db95bf5-krmjc": NetworkPlugin cni failed to set up pod "hoge-5b4db95bf5-krmjc_xyz" network: stat /var/lib/calico/nodename: no such file or directory: check that the calico/node container is running and has mounted /var/lib/calico/
このクラスタは NetworkPolicy を有効にしているため、Calico が動作している。
kube-system namespace の Pod を見てみると、何やらひどいことが起きているようだ。
$ kubectl -n kube-system get pod | grep -E '^NAME|calico'
NAME READY STATUS RESTARTS AGE
calico-node-974fs 1/2 CrashLoopBackOff 9 24m
calico-node-fx464 1/2 CrashLoopBackOff 9 24m
calico-node-kzhsr 1/2 CrashLoopBackOff 9 24m
calico-node-q4ktd 1/2 CrashLoopBackOff 9 24m
calico-node-qwqsx 1/2 CrashLoopBackOff 9 24m
calico-node-vertical-autoscaler-547d98499d-l7rd2 1/1 Running 0 6h
calico-typha-5977794b76-dmxjr 0/1 CrashLoopBackOff 9 24m
calico-typha-horizontal-autoscaler-5ff7f558cc-2ksbc 1/1 Running 0 19h
calico-typha-vertical-autoscaler-5d4bf57df5-hp8r6 1/1 Running 0 6h
network plugin が動作しなくなっているため、既存 Pod はまだ生き延びられるが、新規 Pod が起動しない状態になっているようだ。
calico-node の DaemonSet を YAML で出力して中身をみると、v2.6.11 だったはずの calico のイメージが v3.2.4 に上がっていた。
(バージョンを確認したのは、別件で GKE の問い合わせをしていて Calico のバージョンが変わりそうな気配を感じていたため)
別途 NetworkPolicy を有効にした新規クラスタを作成してみて、そちらでは問題無く動作することを確認。
問題が起きている方のクラスタで calico-node の Pod のログを見ると以下のようになっていた。
2018-12-05 05:16:41.622 [INFO][8] startup.go 252: Early log level set to info
2018-12-05 05:16:41.623 [INFO][8] startup.go 268: Using NODENAME environment for node name
2018-12-05 05:16:41.623 [INFO][8] startup.go 280: Determined node name: gke-gke00-preemptible01-df3d5d39-m2h6
2018-12-05 05:16:41.624 [INFO][8] startup.go 303: Checking datastore connection
2018-12-05 05:16:41.638 [INFO][8] startup.go 327: Datastore connection verified
2018-12-05 05:16:41.638 [INFO][8] startup.go 100: Datastore is ready
2018-12-05 05:16:41.651 [INFO][8] startup.go 1052: Running migration
2018-12-05 05:16:41.651 [INFO][8] migrate.go 866: Querying current v1 snapshot and converting to v3
2018-12-05 05:16:41.651 [INFO][8] migrate.go 875: handling FelixConfiguration (global) resource
2018-12-05 05:16:41.658 [INFO][8] migrate.go 875: handling ClusterInformation (global) resource
2018-12-05 05:16:41.658 [INFO][8] migrate.go 875: skipping FelixConfiguration (per-node) resources - not supported
2018-12-05 05:16:41.658 [INFO][8] migrate.go 875: handling BGPConfiguration (global) resource
2018-12-05 05:16:41.658 [INFO][8] migrate.go 600: Converting BGP config -> BGPConfiguration(default)
2018-12-05 05:16:41.677 [INFO][8] migrate.go 875: skipping Node resources - these do not need migrating
2018-12-05 05:16:41.677 [INFO][8] migrate.go 875: skipping BGPPeer (global) resources - these do not need migrating
2018-12-05 05:16:41.677 [INFO][8] migrate.go 875: handling BGPPeer (node) resources
2018-12-05 05:16:41.687 [INFO][8] migrate.go 875: skipping HostEndpoint resources - not supported
2018-12-05 05:16:41.687 [INFO][8] migrate.go 875: skipping IPPool resources - these do not need migrating
2018-12-05 05:16:41.687 [INFO][8] migrate.go 875: skipping GlobalNetworkPolicy resources - these do not need migrating
2018-12-05 05:16:41.687 [INFO][8] migrate.go 875: skipping Profile resources - these do not need migrating
2018-12-05 05:16:41.688 [INFO][8] migrate.go 875: skipping WorkloadEndpoint resources - these do not need migrating
2018-12-05 05:16:41.688 [INFO][8] migrate.go 875: data converted successfully
2018-12-05 05:16:41.688 [INFO][8] migrate.go 866: Storing v3 data
2018-12-05 05:16:41.688 [INFO][8] migrate.go 875: Storing resources in v3 format
2018-12-05 05:16:41.752 [INFO][8] migrate.go 1151: Failed to create resource Key=BGPConfiguration(default) error=resource does not exist: BGPConfiguration(default) with error: the server could not find the requested resource (post BGPConfigurations.crd.projectcalico.org)
2018-12-05 05:16:41.753 [ERROR][8] migrate.go 884: Unable to store the v3 resources
2018-12-05 05:16:41.753 [INFO][8] migrate.go 875: cause: resource does not exist: BGPConfiguration(default) with error: the server could not find the requested resource (post BGPConfigurations.crd.projectcalico.org)
2018-12-05 05:16:41.753 [ERROR][8] startup.go 107: Unable to ensure datastore is migrated. error=Migration failed: error storing converted data: resource does not exist: BGPConfiguration(default) with error: the server could not find the requested resource (post BGPConfigurations.crd.projectcalico.org)
2018-12-05 05:16:41.753 [WARNING][8] startup.go 1066: Terminating
新規構築したクラスタの calico-node の Pod のログと見比べると migrate.go の行が存在しない。
2018-12-05 05:16:41.651 [INFO][8] startup.go 1052: Running migration という部分が鍵と思われる。
startup.go は projectcalico/node を見れば良さそうだが、
migrate.go は projectcalico/libcalico-go にあるようだ。
libcalico-go のバージョンはどれを使っているのか分からないが、ログから BGPConfiguration を作れていない様子がうかがえる。
Kubernetes における Calico は CustomResourceDefinition として設定を管理しているらしいので、crd の定義を調べる
$ kubectl get crd
NAME AGE
backendconfigs.cloud.google.com 22h
clusterinformations.crd.projectcalico.org 22h
felixconfigurations.crd.projectcalico.org 22h
globalbgpconfigs.crd.projectcalico.org 22h
globalfelixconfigs.crd.projectcalico.org 22h
globalnetworkpolicies.crd.projectcalico.org 22h
globalnetworksets.crd.projectcalico.org 22h
hostendpoints.crd.projectcalico.org 22h
ippools.crd.projectcalico.org 22h
networkpolicies.crd.projectcalico.org 22h
scalingpolicies.scalingpolicy.kope.io 22h
ログには
the server could not find the requested resource (post BGPConfigurations.crd.projectcalico.org)
と出ていて、実際に bgpconfigurations.crd.projectcalico.org は存在しない。
とりあえず手動で CRD を追加してみたい。
内容が分からないので適当にググると https://github.com/projectcalico/libcalico-go/blob/master/test/crds.yaml が見つかった。
元の CRD を残しておきつつ、この crds.yaml を適用してみる。
$ kubectl get crd -o yaml > crd-backup.yaml
$ curl -LO https://raw.githubusercontent.com/projectcalico/libcalico-go/master/test/crds.yaml
$ kubectl apply -f crds.yaml
customresourcedefinition.apiextensions.k8s.io "globalfelixconfigs.crd.projectcalico.org" configured
customresourcedefinition.apiextensions.k8s.io "globalbgpconfigs.crd.projectcalico.org" configured
customresourcedefinition.apiextensions.k8s.io "ippools.crd.projectcalico.org" configured
customresourcedefinition.apiextensions.k8s.io "bgppeers.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworkpolicies.crd.projectcalico.org" configured
customresourcedefinition.apiextensions.k8s.io "hostendpoints.crd.projectcalico.org" configured
customresourcedefinition.apiextensions.k8s.io "felixconfigurations.crd.projectcalico.org" configured
customresourcedefinition.apiextensions.k8s.io "bgpconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "clusterinformations.crd.projectcalico.org" configured
customresourcedefinition.apiextensions.k8s.io "networkpolicies.crd.projectcalico.org" configured
customresourcedefinition.apiextensions.k8s.io "globalnetworksets.crd.projectcalico.org" configured
bgppeers.crd.projectcalico.org と bgpconfigurations.crd.projectcalico.org が新規作成されたようだ。
CRD が作られたので、CrashLoopBackOff になっていた calico-node や calico-typha の Pod を消して再作成させる。
$ kubectl -n kube-system get pod -l k8s-app=calico-node
$ kubectl -n kube-system delete pod -l k8s-app=calico-node
$ kubectl -n kube-system get pod -l k8s-app=calico-typha
$ kubectl -n kube-system delete pod -l k8s-app=calico-typha
これでしばらく放置しておくと、calico-node や calico-typha の Pod が起動し、他の Pod も起動するようになった。
migrate.go が成功した部分のログは以下のようなものだった。
2018-12-05 05:45:51.223 [INFO][8] startup.go 1052: Running migration
2018-12-05 05:45:51.223 [INFO][8] migrate.go 866: Querying current v1 snapshot and converting to v3
2018-12-05 05:45:51.223 [INFO][8] migrate.go 875: handling FelixConfiguration (global) resource
2018-12-05 05:45:51.232 [INFO][8] migrate.go 875: handling ClusterInformation (global) resource
2018-12-05 05:45:51.232 [INFO][8] migrate.go 875: skipping FelixConfiguration (per-node) resources - not supported
2018-12-05 05:45:51.232 [INFO][8] migrate.go 875: handling BGPConfiguration (global) resource
2018-12-05 05:45:51.232 [INFO][8] migrate.go 600: Converting BGP config -> BGPConfiguration(default)
2018-12-05 05:45:51.245 [INFO][8] migrate.go 875: skipping Node resources - these do not need migrating
2018-12-05 05:45:51.245 [INFO][8] migrate.go 875: skipping BGPPeer (global) resources - these do not need migrating
2018-12-05 05:45:51.245 [INFO][8] migrate.go 875: handling BGPPeer (node) resources
2018-12-05 05:45:51.255 [INFO][8] migrate.go 875: skipping HostEndpoint resources - not supported
2018-12-05 05:45:51.255 [INFO][8] migrate.go 875: skipping IPPool resources - these do not need migrating
2018-12-05 05:45:51.255 [INFO][8] migrate.go 875: skipping GlobalNetworkPolicy resources - these do not need migrating
2018-12-05 05:45:51.255 [INFO][8] migrate.go 875: skipping Profile resources - these do not need migrating
2018-12-05 05:45:51.255 [INFO][8] migrate.go 875: skipping WorkloadEndpoint resources - these do not need migrating
2018-12-05 05:45:51.255 [INFO][8] migrate.go 875: data converted successfully
2018-12-05 05:45:51.255 [INFO][8] migrate.go 866: Storing v3 data
2018-12-05 05:45:51.255 [INFO][8] migrate.go 875: Storing resources in v3 format
2018-12-05 05:45:51.324 [INFO][8] migrate.go 875: success: resources stored in v3 datastore
2018-12-05 05:45:51.324 [INFO][8] migrate.go 866: Migrating IPAM data
2018-12-05 05:45:51.324 [INFO][8] migrate.go 875: no data to migrate - not supported
2018-12-05 05:45:51.324 [INFO][8] migrate.go 866: Data migration from v1 to v3 successful
2018-12-05 05:45:51.324 [INFO][8] migrate.go 875: check the output for details of the migrated resources
2018-12-05 05:45:51.324 [INFO][8] migrate.go 875: continue by upgrading your calico/node versions to Calico v3.x
2018-12-05 05:45:51.324 [INFO][8] startup.go 1056: Migration successful
本来は GKE 側で修正されることではないかと思うが、どうなるのだろう。
後日確認・追記 (12/14)
- GKE の Release Notes の Known Issues (抜粋):
> Users upgrading to GKE 1.11.3 on clusters that use Calico network policies may experience failures due to a problem recreating the BGPConfigurations.crd.projectcalico.org resource. This problem does not affect newly-created clusters. This is expected to be fixed in the coming weeks.
>
> To work around this problem, you can create the BGPConfigurations.crd.projectcalico.org resource manually: - Google の Issue Tracker: URGENT: after upgrading master nodes to 1.11.3 calico stopped working
- Calico の Issue: #2324
- Kubernetes の PullRequest: #71868, #71682
ツイッターでシェア
みんなに共有、忘れないようにメモ
Crieitは誰でも投稿できるサービスです。 是非記事の投稿をお願いします。どんな軽い内容でも投稿できます。
また、「こんな記事が読みたいけど見つからない!」という方は是非記事投稿リクエストボードへ!
こじんまりと作業ログやメモ、進捗を書き残しておきたい方はボード機能をご利用ください。
ボードとは?
コメント