CC | ci | stop testing with the forked containerd ...

[fidencio]

and test with the image offload to the guest instead.

[fidencio]

/test

[stevenhorsman]

Do we still need the CC_CRI_CONTAINERD_K8S_IMAGE_OFFLOAD_TO_GUEST job if the 'original' ones are testing the image-offload to guest now?

[stevenhorsman]

Oh - I've just noticed it was removed in a later commit, hence showing outdated

[stevenhorsman]

I think we can probable delete these debug logs (or move them into the teardown if they are useful)

[fidencio]

/test

[fidencio]

/test

[fidencio]

/test

[fidencio]

/test

[fidencio]

/test

[stevenhorsman]

/test-ubuntu

[stevenhorsman]

/test-ubuntu

[stevenhorsman]

/test-ubuntu

[stevenhorsman]

/test-ubuntu

[stevenhorsman]

/test

[stevenhorsman]

/test

[stevenhorsman]

/test-ubuntu

[stevenhorsman]

/test-ubuntu

[fidencio]

TDX is not a blocker as the network has been terrible lately and we dropped the cached components due to the lack of maintenance.

[stevenhorsman]

@ryansavino - I think this is just waiting on SEV and SNP now. How is the investigation going as the SNP node has been offline for ~5 days now, or do you want us to merge this as is and you handle the AMD test fixes later?

[stevenhorsman]

/test

[stevenhorsman]

The SEV and SNP tests failed with:

09:01:59 make[1]: *** [tools/packaging/kata-deploy/local-build/Makefile:67: kernel-sev-tarball-build] Error 1
09:01:59 make[1]: Leaving directory '/home/jenkins/workspace/tests-CCv0-ubuntu-20.04_snp-x86_64-CC_SNP_CRI_CONTAINERD_K8S-PR/go/src/github.com/kata-containers/kata-containers'
09:01:59 make: *** [tools/packaging/kata-deploy/local-build/Makefile:97: kernel-sev-tarball] Error 2
09:01:59 [install_kata_image.sh:195] ERROR: sudo -E PATH=/home/jenkins/workspace/tests-CCv0-ubuntu-20.04_snp-x86_64-CC_SNP_CRI_CONTAINERD_K8S-PR/go/bin:/usr/local/go/bin:/usr/sbin:/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin make rootfs-initrd-sev-tarball
09:01:59 [install_kata.sh:47] ERROR: .ci/install_kata_image.sh 

and

09:06:28 ERROR: failed to solve: process "/bin/sh -c . /root/.cargo/env; cargo install cargo-when" did not complete successfully: exit code: 127
09:06:28 make: *** [Makefile:96: /home/jenkins/workspace/tests-CCv0-ubuntu-20.04_sev-x86_64-CC_SEV_CRI_CONTAINERD_K8S-PR/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/rootfs-initrd-sev/builddir/initrd-image/.ubuntu_rootfs.done] Error 1
09:06:29 make[1]: *** [tools/packaging/kata-deploy/local-build/Makefile:67: rootfs-initrd-sev-tarball-build] Error 2
09:06:29 make[1]: Leaving directory '/home/jenkins/workspace/tests-CCv0-ubuntu-20.04_sev-x86_64-CC_SEV_CRI_CONTAINERD_K8S-PR/go/src/github.com/kata-containers/kata-containers'
09:06:29 make: *** [tools/packaging/kata-deploy/local-build/Makefile:127: rootfs-initrd-sev-tarball] Error 2
09:06:29 [install_kata_image.sh:195] ERROR: sudo -E PATH=/home/jenkins/workspace/tests-CCv0-ubuntu-20.04_sev-x86_64-CC_SEV_CRI_CONTAINERD_K8S-PR/go/bin:/usr/local/go/bin:/usr/sbin:/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin make rootfs-initrd-sev-tarball
09:06:29 [install_kata.sh:47] ERROR: .ci/install_kata_image.sh 

so I'll retry them to see if that helps

[stevenhorsman]

Both SEV and SNP re-run failed with:

09:32:52 #11 [skopeo 3/4] RUN curl -fsSL "https://github.com/containers/skopeo/archive/v1.9.1.tar.gz"   | tar -xzf - --strip-components=1
09:32:52 #11 0.336 curl: (6) Could not resolve host: github.com

so it looks like network issues on AMD's side?

[ryansavino]

Yeah, I was hoping to see network failure around the same time, but they were a couple hours apart it looks. I've retriggered for now. I'll check up on it.

[stevenhorsman]

SNP failed with:

16:53:57 INFO: Run tests
16:53:57 1..1
16:55:36 not ok 1 [cc][kubernetes][containerd][snp] Test SNP unencrypted container launch success
16:55:36 # (from function `kubernetes_wait_for_pod_ready_state' in file lib.sh, line 42,
16:55:36 #  in test file confidential/snp.bats, line 80)
16:55:36 #   `kubernetes_wait_for_pod_ready_state "$pod_name" 20' failed

SEV looks like a network issue I think

[ryansavino]

I'm not sure how bats executes commands outside of the main tests, setup or teardown methods. The snp test is still failing. I would recommend moving this to the setup_file method. However, I think this check should go in the containerd_nydus_setup.sh. Maybe SEV/SNP tests are the only things experiencing issues with this right now, but that doesn't necessarily mean that other things won't have issue with the snapshotter not being fully initialized later.

[ryansavino]

Same comment here as below for the snp.bats.

[stevenhorsman]

/test

[stevenhorsman]

Network failures again with SEV?

19:00:25 #9 19.82 Reading package lists...
19:00:25 #9 20.51 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Connection failed [IP: 185.125.190.36 80]
19:00:25 #9 20.51 W: Some index files failed to download. They have been ignored, or old ones used instead.
19:00:26 #9 20.55 Reading package lists...
19:00:26 #9 21.25 Building dependency tree...
19:00:26 #9 21.45 Reading state information...
19:00:26 #9 21.57 Some packages could not be installed. This may mean that you have
19:00:26 #9 21.57 requested an impossible situation or if you are using the unstable
19:00:26 #9 21.57 distribution that some required packages have not yet been created
19:00:26 #9 21.57 or been moved out of Incoming.
19:00:26 #9 21.57 The following information may help to resolve the situation:
19:00:26 #9 21.57 
19:00:26 #9 21.57 The following packages have unmet dependencies:
19:00:27 #9 21.68  clang : Depends: clang-10 (>= 10~) but it is not going to be installed
19:00:27 #9 21.68  g++ : Depends: g++-9 (>= 9.3.0-3~) but it is not going to be installed
19:00:27 #9 21.68  libdevmapper-dev : Depends: libudev-dev but it is not going to be installed
19:00:27 #9 21.68                     Depends: libselinux1-dev but it is not going to be installed
19:00:27 #9 21.68  libgpgme-dev : Depends: libc6-dev but it is not going to be installed
19:00:27 #9 21.70 E: Unable to correct problems, you have held broken packages.

[stevenhorsman]

The SNP tests failed again and the log times indicate that both 30s sleeps took effect, so I'm not sure that's the solution:

19:26:47     address = "/run/containerd-nydus/containerd-nydus-grpc.sock"
19:27:17 INFO: Run tests
19:27:17 1..1
19:27:56 not ok 1 [cc][kubernetes][containerd][snp] Test SNP unencrypted container launch success
19:27:56 # (from function `kubernetes_wait_for_pod_ready_state' in file lib.sh, line 42,
19:27:56 #  in test file confidential/snp.bats, line 77)
19:27:56 #   `kubernetes_wait_for_pod_ready_state "$pod_name" 20' failed

[ryansavino]

The last SEV test run, all the tests failed. The pod event failure is showing this error:

15:54:22 #   Normal   Scheduled  21s                default-scheduler  Successfully assigned default/sev-encrypted-dd9f8bbb9-dmsff to amd-coco-ci-ubuntu2004-001
15:54:22 #   Normal   Pulled     12s                kubelet            Successfully pulled image "ghcr.io/confidential-containers/test-container:multi-arch-encrypted" in 1.247186984s
15:54:22 #   Normal   Pulling    11s (x2 over 13s)  kubelet            Pulling image "ghcr.io/confidential-containers/test-container:multi-arch-encrypted"
15:54:22 #   Warning  Failed     11s (x2 over 12s)  kubelet            Error: failed to create containerd container: create instance 697: object with key "697" already exists: unknown
15:54:22 #   Normal   Pulled     11s                kubelet            Successfully pulled image "ghcr.io/confidential-containers/test-container:multi-arch-encrypted" in 396.519239ms

Has anyone seen this type of error before?

[stevenhorsman]

The last SEV test run, all the tests failed. The pod event failure is showing this error:

15:54:22 #   Normal   Scheduled  21s                default-scheduler  Successfully assigned default/sev-encrypted-dd9f8bbb9-dmsff to amd-coco-ci-ubuntu2004-001
15:54:22 #   Normal   Pulled     12s                kubelet            Successfully pulled image "ghcr.io/confidential-containers/test-container:multi-arch-encrypted" in 1.247186984s
15:54:22 #   Normal   Pulling    11s (x2 over 13s)  kubelet            Pulling image "ghcr.io/confidential-containers/test-container:multi-arch-encrypted"
15:54:22 #   Warning  Failed     11s (x2 over 12s)  kubelet            Error: failed to create containerd container: create instance 697: object with key "697" already exists: unknown
15:54:22 #   Normal   Pulled     11s                kubelet            Successfully pulled image "ghcr.io/confidential-containers/test-container:multi-arch-encrypted" in 396.519239ms

Has anyone seen this type of error before?

Yes, I saw an error like that when I as getting the non-TEE test working locally. I can't remember the context though. Can you try cleaning up the imaged you have with crictl rmi as that might be how I solved it?

[fitzthum]

Has anyone seen this type of error before?

I saw the same failure on one of the SEV runs last week. I'm a bit worried we're introducing a new intermittent issue.

[ryansavino]

The snp.bats was failing with the "object with key [] already exists" message. I cleaned up the test image on the host using the below command:

sudo crictl -r unix:///run/containerd/containerd.sock rmi ghcr.io/confidential-containers/test-container:unencrypted

This fixed the above error. I ran a full test after that and the snp.bats passed successfully. So I think we still need that sleep or a script to detect nydus snapshotter is fully up and running. My hunch is that this will fix the sev.bats as well. I've cleaned up that image on the SEV node, and I'm re-triggering the tests.
I'm not sure why the key exists error is only getting thrown in certain scenarios. It seems now that I've resolved it, I can run the test over and over and it passes. Weird.
One other thing I was going to recommend @stevenhorsman. I noticed the pod takes more time to come up. Can we try increasing the timeout for checking if the pod is ready as well?
https://github.com/fidencio/kata-tests/blob/594918474a1026108658d2113ca7f1af7cc29fb3/integration/kubernetes/confidential/snp.bats#L77
https://github.com/fidencio/kata-tests/blob/594918474a1026108658d2113ca7f1af7cc29fb3/integration/kubernetes/confidential/sev.bats#L128 (L128,162,193,228,263)
Maybe increase 20 to 30.

[ryansavino]

SEV Test 1 failed, can we try increasing the timeout values?

[stevenhorsman]

SEV Test 1 failed, can we try increasing the timeout values?

Yeah, I'll try bumping them all to 40 to see if that helps

[stevenhorsman]

/test

[stevenhorsman]

The bits that others did LGTM and the tests are passing

[fidencio]

LGTM as well, let's have it merged.