[lxc-devel] veth interface not deleted after container shutdown
Daniel Lezcano
daniel.lezcano at free.fr
Fri Jan 8 21:02:16 UTC 2010
Denis Rizaev wrote:
> I think the problem is in TIME_WAIT sockets that can exist without any
> processes running.
The TIME_WAIT sockets are wiped out when the network namespace exits and
they don't hold a refcount on the network namespace,
I coded the function ;)
The sockets can generally be orphan (without attached to a process) if
the send queue is not empty. I mean a process can push a large amount of
data and part of this data is buffered by the kernel until the tcp stack
receives the ack for the packets. But from the userspace POV, the data
were sent and the application may exit. So the socket stay there until
everything is acknowledged by the peer.
> But when we do lxc-stop we must be sure that container
> really stopped, so maybe we need to manually destroy network interfaces
> rather than rely on kernel namespace destruction logic?
>
Mmh, it's possible for the veth interfaces but not for other virtual
interfaces, like macvlan. I think this is something that should be
handled by the kernel. The question is: shall the kernel provide a
service to force the destruction of the network stack in order to have
the same behavior than shutdowning a real host.
My personal opinion is yes, especially because this is needed for
migrating an application.
> 2010/1/8 Daniel Lezcano <daniel.lezcano at free.fr>
>
>
>> Denis Rizaev wrote:
>>
>>
>>> Hello, i'm running lxc in production for 1 month and noticed bug that
>>> high-loaded veth interfaces are not destroyed after lxc-stop.
>>> This results in errors when we try to start this container again. As
>>> workaround i manually do something like ip link del veth_<container_name>.
>>> I have two high-traffic containers(~10 mbit/s each) and this bug appears
>>> on
>>> them. Other six almost idle containers destroying it's veth's interfaces
>>> properly.
>>>
>>>
>>>
>> The veth interfaces, as any virtual interfaces in the network namespace are
>> automatically destroyed by the kernel when a network namespace is destroyed.
>>
>> The network namespace is destroyed when there is no more ref count on it.
>> And the processes, the sockets, the routes and some more things get a
>> refcount on it when they are created.
>>
>> So, you may check if after a long time (at least all tcp timers have
>> expired, so the sockets are destroyed), the interfaces are still there. If
>> this is the case, then the kernel does not release on refcount somewhere and
>> it's probably a kernel bug.
>>
>>
>
>
More information about the lxc-devel
mailing list