[lxc-devel] veth interface not deleted after container shutdown

Daniel Lezcano daniel.lezcano at free.fr
Fri Jan 8 21:02:16 UTC 2010


Denis Rizaev wrote:
> I think the problem is in TIME_WAIT sockets that can exist without any
> processes running. 
The TIME_WAIT sockets are wiped out when the network namespace exits and 
they don't hold a refcount on the network namespace,
I coded the function ;)

The sockets can generally be orphan (without attached to a process) if 
the send queue is not empty. I mean a process can push a large amount of 
data and part of this data is buffered by the kernel until the tcp stack 
receives the ack for the packets. But from the userspace POV, the data 
were sent and the application may exit. So the socket stay there until 
everything is acknowledged by the peer.

> But when we do lxc-stop we must be sure that container
> really stopped, so maybe we need to manually destroy network interfaces
> rather than rely on kernel namespace destruction logic?
>   

Mmh, it's possible for the veth interfaces but not for other virtual 
interfaces, like macvlan. I think this is something that should be 
handled by the kernel. The question is: shall the kernel provide a 
service to force the destruction of the network stack in order to have 
the same behavior than shutdowning a real host.

My personal opinion is yes, especially because this is needed for 
migrating an application.

> 2010/1/8 Daniel Lezcano <daniel.lezcano at free.fr>
>
>   
>> Denis Rizaev wrote:
>>
>>     
>>> Hello, i'm running lxc in production for 1 month and noticed bug that
>>> high-loaded veth interfaces are not destroyed after lxc-stop.
>>> This results in errors when we try to start this container again. As
>>> workaround i manually do something like ip link del veth_<container_name>.
>>> I have two high-traffic containers(~10 mbit/s each) and this bug appears
>>> on
>>> them. Other six almost idle containers destroying it's veth's interfaces
>>> properly.
>>>
>>>
>>>       
>> The veth interfaces, as any virtual interfaces in the network namespace are
>> automatically destroyed by the kernel when a network namespace is destroyed.
>>
>> The network namespace is destroyed when there is no more ref count on it.
>> And the processes, the sockets, the routes and some more things get a
>> refcount on it when they are created.
>>
>> So, you may check if after a long time (at least all tcp timers have
>> expired, so the sockets are destroyed), the interfaces are still there. If
>> this is the case, then the kernel does not release on refcount somewhere and
>> it's probably a kernel bug.
>>
>>     
>
>   





More information about the lxc-devel mailing list