All probes (liveness, readiness) fail on Debian 11 / CRI-O 1.25.1 / K8S 1.25.4

Xnyle · December 2, 2022, 3:21pm

I’m probably missing something important but could’t find anything in either k8s not cri-o docs:

After a fresh k8s install all probes are failing in my setup. Everything else is running fine, but not the probes.

What I did:

Installed vanilla K8S 1.25.4 on vanilla Debian 11 with vanilla cri-o 1.25.1 as container runtime. (also tried 1.24, same result)

Then applied test pod from here

https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/pods/probe/exec-liveness.yaml

And then I get the following from the logs:

1202 13:06:06.257580 17325 remote_runtime.go:734] “ExecSync cmd from runtime service failed” err=“rpc error: code = Unknown desc = command error: EOF, stdout: , stderr: , exit code -1” containerID=“ec9eb6391c79e079c4ee6ecdede3f8916a0ef3e6d74aefb069048171db41b455” cmd=[cat /tmp/healthy]

It seems it doesn’t matter how I redefine the probes, they always fail.

Client Version: version.Info{Major:“1”, Minor:“25”, GitVersion:“v1.25.4”, GitCommit:“872a965c6c6526caa949f0c6ac028ef7aff3fb78”, GitTreeState:“archive”, BuildDate:“2022-11-10T22:18:49Z”, GoVersion:“go1.19.3”, Compiler:“gc”, Platform:“linux/amd64”}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:“1”, Minor:“25”, GitVersion:“v1.25.4”, GitCommit:“872a965c6c6526caa949f0c6ac028ef7aff3fb78”, GitTreeState:“clean”, BuildDate:“2022-11-09T13:29:58Z”, GoVersion:“go1.19.3”, Compiler:“gc”, Platform:“linux/amd64”}

Os is Debian 11, kernel 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 GNU/Linux

I installed k8s as follows

kubeadm init --config seeBelowFileContents

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
cgroupDriver: systemd

apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration
nodeRegistration:
criSocket: “unix:///var/run/crio/crio.sock”

Pods are starting, DNS is working, even complex deployments are running if I just disable the probes, but probes autofail no matter what. I can exec into the pod and (kubectl) execute what the probes did, working as well.

What am I missing?

Xnyle · December 5, 2022, 8:20am


kubelet[948680]: I1205 08:17:08.507645  948680 prober.go:163] "Exec-Probe runProbe" pod="default/liveness-exec" containerName="liveness" execCommand=[cat /tmp/healthy]
systemd[1]: run-runc-726d4c2010b67629535c1e2560664592546fa50f97ab0502e8592e7e4628dd31-runc.5SNNUr.mount: Succeeded.
systemd[928226]: run-runc-726d4c2010b67629535c1e2560664592546fa50f97ab0502e8592e7e4628dd31-runc.5SNNUr.mount: Succeeded.
kubelet[948680]: E1205 08:17:08.557373  948680 remote_runtime.go:711] "ExecSync cmd from runtime service failed" err="rpc error: code = Unknown desc = command error: EOF, stdout: , stderr: , exit code -1" containerID="726d4c2010b67629535c1e2560664592546fa50f97ab0502e8592e7e4628dd31" cmd=[cat /tmp/healthy]
kubelet[948680]: I1205 08:17:08.557404  948680 exec.go:62] Exec probe response: ""
kubelet[948680]: E1205 08:17:08.557424  948680 prober.go:118] "Probe errored" err="rpc error: code = Unknown desc = command error: EOF, stdout: , stderr: , exit code -1" probeType="Liveness" pod="default/liveness-exec" podUID=d5e694d2-1dc0-433c-b652-7b2a8c59bbbd containerName="liveness"
kubelet[948680]: I1205 08:17:08.557587  948680 event.go:294] "Event occurred" object="default/liveness-exec" fieldPath="spec.containers{liveness}" kind="Pod" apiVersion="v1" type="Warning" reason="Unhealthy" message="Liveness probe errored: rpc error: code = Unknown desc = command error: EOF, stdout: , stderr: , exit code -1"

Xnyle · December 5, 2022, 3:05pm

It probably has to do with defective cni config.
All the snippets I can find regarding flannel and cri-o are a bit confusing to say the least.

Does anyone have a working cni config for bare metal + cri-o + flannel?

Xnyle · December 6, 2022, 7:07am

If anyone else lands here: it’s related to a bug in conmon that hits on Debian Busters version:

github.com/cri-o/cri-o

Startup probe fails on Crio-1.24

opened 04:05PM - 29 Aug 22 UTC

closed 08:17AM - 30 Aug 22 UTC

rkojedzinszky

kind/bug

### What happened? Upgraded cri from cri-o-1.23 to cri-o-1.24, and pods havin…g startupProbes of exec type fails to get ready. ### What did you expect to happen? A seamless upgrade ### How can we reproduce it (as minimally and precisely as possible)? Have a k8s deployment: ``` apiVersion: apps/v1 kind: Deployment metadata: name: unbound spec: selector: matchLabels: app: unbound template: metadata: labels: app: unbound spec: containers: - image: ghcr.io/kubernetize/unbound:3.16.2 imagePullPolicy: IfNotPresent livenessProbe: exec: command: - dig - '@127.0.0.1' - . - ns - +tcp name: unbound securityContext: capabilities: add: - NET_BIND_SERVICE runAsNonRoot: true startupProbe: exec: command: - nslookup - -type=soa - google.com - 127.0.0.1 ``` ### Anything else we need to know? Kubelet reports this: ``` kubelet[615]: E0829 16:06:43.000635 615 remote_runtime.go:711] "ExecSync cmd from runtime service failed" err="rpc error: code = Unknown desc = command error: EOF, stdout: , stderr: , exit code -1" containerID="24e4a26ed30e7ebdd165f59f294bbe28a4b53a2b79dbcf7dbaa80144ec4cc1fd" cmd=[nslookup -type=soa <hidden-domain> 127.0.0.1] ``` ### CRI-O and Kubernetes version <details> ```console $ crio --version crio version 1.24.2 Version: 1.24.2 GitCommit: f4d632b8f61915e51f70784a5b2dab76a5af05b4 GitTreeState: clean BuildDate: 2022-08-29T12:40:58Z GoVersion: go1.18.5 Compiler: gc Platform: linux/arm64 Linkmode: dynamic BuildTags: apparmor, exclude_graphdriver_devicemapper, containers_image_openpgp, containers_image_ostree_stub, seccomp, selinux SeccompEnabled: true AppArmorEnabled: false ``` ```console $ kubectl version WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version. Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.4", GitCommit:"95ee5ab382d64cfe6c28967f36b53970b8374491", GitTreeState:"clean", BuildDate:"2022-08-17T18:54:23Z", GoVersion:"go1.18.5", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v4.5.4 Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.4", GitCommit:"95ee5ab382d64cfe6c28967f36b53970b8374491", GitTreeState:"clean", BuildDate:"2022-08-17T18:47:37Z", GoVersion:"go1.18.5", Compiler:"gc", Platform:"linux/arm64"} ``` </details> ### OS version <details> ```console # cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" # uname -a Linux k8s-node01 5.15.63 #10 SMP Thu Aug 25 11:07:49 UTC 2022 aarch64 GNU/Linux ``` </details> ### Additional environment details (AWS, VirtualBox, physical, etc.) <details> Bare metal. </details>

Topic		Replies	Views
Readiness and liveness probes fail randomly on GKE General Discussions	5	4130	February 11, 2019
Liveness probe report strange exit code General Discussions	3	583	July 26, 2024
APi Server is showing "Liveness probe failed: HTTP probe failed with statuscode: 500" while describing the pod General Discussions apiserver	1	6232	January 19, 2024
Apiserver liveness and readiness probes fail randomly with code 500 General Discussions	3	10558	May 23, 2023
Cri-o with k8s in rhel8 General Discussions development	1	1263	February 19, 2022

All probes (liveness, readiness) fail on Debian 11 / CRI-O 1.25.1 / K8S 1.25.4

Related topics